CAcert and SSL Server certificates

Roman Valls Guimerà bio photo By Roman Valls Guimerà Comment

I’ve recently changed my ssl certificates to fix some problems regarding subdomain handling. As firefox and other browsers complained:

You have attempted to establish a connection with “blogs.nopcode.org”. However the security certificate presented belongs to “nopcode.org” (…)

My SSL certificates are not self-signed, I use a CA known as CAcert instead. This is one of their a logos:

cacert logo

I’ve joined that CA six months ago and I’m really happy with it. I’ve learnt lots of issues about SSL, certificate generation, CA’s, security devices, trust policies, server configurations, code signing, etc…

If you want to know more about certificates, check cacert’s wiki, there’s a lot of interesting stuff there, including how to join CAcert’s WoT ;-)

Next I’m gonna explain how easy it was to generate a certificate for my main domain and subdomains: I’ve simply used a helper perl script to generate a CSR and a private key. Then, I’ve sent that CSR to CAcert, and they sent back to me my server certificate. Then, with a certificate signed by CAcert, and my private key file, I’m now able to secure my services (imap, smtp, www and jabber).

The script execution went like this:

# ./subjectAltname.pl
Generate SSL Cert stuff for SAPI
FQDN/Keyname for Cert (ie www.example.com)              :nopcode.org
Alt Names (ie www1.example.com or <return> for none)                    :blogs.nopcode.org
Alt Names (ie www1.example.com or </return><return> for none)                    :www.nopcode.org
Alt Names (ie www1.example.com or </return><return> for none)                    :ftp.nopcode.org
(... more sub-domains ...)
Alt Names (ie www1.example.com or </return><return> for none)                    :voip.nopcode.org
Alt Names (ie www1.example.com or </return><return> for none)                    :
Host short name (ie imap big_srv etc)                           :nopcode

Attempting openssl...
Generating a 2048 bit RSA private key
..+++
...................+++
writing new private key to '/somewhere/privatekey.pem'
-----

writing csr to /somewhere/csr.pem...

Take the contents of /somewhere/csr.pem and go submit them to receive an SSL ID.  When you receive your public 
key back, you 'should' name it something like 'something.pem'.
</return>

If you just want to issue a certificate for one single TLD (instead of using subjectAltName SSL attribute for subdomains), you only have to write:

# openssl req -nodes -new -keyout private.key -out server.csr

EDIT: There is a strong reason against using self-signed certificates.

comments powered by Disqus