# Resigning of CAcert class3 certificate ## Rationale The certificate with Subject "O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root" expires on May 20th 2021. A new version needs to be signed by the CAcert root CA before the expiry date. It would be a good idea to perform the signing a few months before the expiry date to have enough time to update the fingerprints and download files in advance. ## Original certificate The original certificate has the following parameters: ``` Certificate: Data: Version: 3 (0x2) Serial Number: 14 (0xe) Signature Algorithm: sha256WithRSAEncryption Issuer: O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org Validity Not Before: May 23 17:48:02 2011 GMT Not After : May 20 17:48:02 2021 GMT Subject: O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9: dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da: 89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0: 24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8: c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa: 51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44: 8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34: 29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98: 65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0: ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e: 97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4: cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6: 85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72: 35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e: 4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e: 0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9: 2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64: 27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed: 5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4: cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11: 36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3: d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70: 40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a: e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a: df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20: 2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97: 4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1: ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48: 00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a: 25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11: c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91: 99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af: 8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42: 74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40: 05:fb:e9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A X509v3 Basic Constraints: critical CA:TRUE Authority Information Access: OCSP - URI:http://ocsp.CAcert.org/ CA Issuers - URI:http://www.CAcert.org/ca.crt X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.18506 CPS: http://www.CAcert.org/index.php?id=10 Netscape CA Policy Url: http://www.CAcert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE, go to http://www.CAcert.org X509v3 Authority Key Identifier: keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 Signature Algorithm: sha256WithRSAEncryption 5a:90:16:d0:36:23:56:64:95:89:bc:8f:ac:a4:20:c9:26:8a: a9:f3:54:e4:40:18:3f:4a:cb:43:c6:9b:76:09:e6:ca:54:a7: 8c:94:0b:92:68:d6:59:bb:17:97:7b:69:ea:ad:d4:4c:e1:29: 5b:28:15:8f:dd:19:f4:95:59:27:97:18:db:8f:09:b9:7d:78: 7a:c8:b0:42:56:b5:ea:eb:5e:b1:26:d0:97:13:be:05:1c:86: e1:34:05:15:b1:06:bd:da:3c:d0:13:63:84:6d:35:94:d0:3e: 99:82:18:a1:fa:3f:9c:37:47:85:8a:e0:ee:73:78:82:d4:6b: 99:31:bf:d9:c3:6d:40:5d:b9:15:c7:36:78:8a:96:8b:d1:84: 20:b1:2b:75:3f:6d:a2:a5:be:bd:e8:e2:e4:ad:44:5c:b6:06: 36:70:74:b8:a4:8e:b6:56:94:60:93:02:7f:2f:0d:a7:f8:2f: 6f:b6:e9:28:cc:c8:6b:94:f4:93:03:43:a1:34:41:a2:1a:9d: a1:46:95:9a:86:21:be:1c:67:08:61:f0:15:f6:fe:e8:83:77: 4e:f5:39:d2:d1:70:db:6e:4d:51:a9:73:e9:73:f0:ed:ac:95: b3:99:93:74:3b:82:88:c7:43:ad:2c:92:56:1b:dc:e9:f4:9a: c9:c8:ee:94:48:81:58:81:aa:f4:53:c1:c7:1e:84:dc:72:d8: 7e:f2:f2:62:af:3e:c0:c3:80:e5:0a:e8:e8:db:b3:a8:22:4b: 20:dc:ec:e0:5f:f0:e4:bd:66:25:d0:9f:04:32:55:e8:1f:48: 93:bf:7a:9c:ae:84:08:b4:e5:05:b2:08:a5:6e:34:5b:6b:ce: 90:e6:42:e1:9c:2c:63:75:6d:82:6d:b3:52:a7:cb:e5:66:7d: 2e:17:17:7c:b2:9c:50:71:7b:34:08:89:f5:f6:eb:dc:40:8a: 38:67:8b:90:fb:4d:0b:83:dc:48:f5:81:55:f5:2d:8c:6d:26: a7:94:d5:25:bd:b0:78:52:f1:e4:7a:5d:29:e9:b1:ad:02:6a: 75:74:90:52:91:93:85:9b:46:7a:7a:4f:86:ef:0e:d1:d5:a4: e2:7e:31:89:ad:dc:34:df:63:be:54:82:b0:0a:0b:bc:0d:db: 24:47:4c:34:07:af:32:75:99:f4:01:39:cc:9e:be:44:c6:f7: 16:91:90:6d:0a:04:1a:d8:db:d2:2a:b7:10:9e:56:aa:a3:d8: 9c:10:5e:17:7a:f2:3f:55:37:b3:95:bd:4b:8d:83:16:1d:57: 79:47:a0:b6:a7:8c:13:c9:50:48:33:c8:63:ac:b7:0a:88:28: 45:e3:71:91:26:d9:de:ef ``` ``` -----BEGIN CERTIFICATE----- MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9 4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J 0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb 6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7 6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1 MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP 3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU 0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69 6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp 9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl 0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8 spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0 ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2 p4wTyVBIM8hjrLcKiChF43GRJtne7w== -----END CERTIFICATE----- ``` ## Process The signer has openssl 0.9.8o-4squeeze11 installed. The re-signing procedure needs to be compatible with that version of openssl. 1. Put the content of this repository on a removable device (i.e. USB disk mounted at `/mnt/usbdisk` on your workstation): ``` cp README.md sign_class3_ca.cnf /mnt/usbdisk/resign_class3_2021 ``` 2. Backup original the class 3 certificate ``` tar cf /etc/ssl/backup-$(date +%Y%m%d-%H%M%S).tar -C /etc/ssl \ class3/cacert.crt ``` 2. Copy [sign_class3_ca.cnf](sign_class3_ca.cnf) to the signer's `/etc/ssl` directory (from USB disk mounted at /mnt/usbdisk) ``` cp /mnt/usbdisk/resign_class3_2021/sign_class3_ca.cnf /etc/ssl/ ``` 3. Generate a CSR from the existing certificate with the existing private key. This is important to keep the encoding of the Subject DN intact. ``` cd /etc/ssl openssl x509 \ -x509toreq \ -signkey class3/cacert.pem \ -in class3/cacert.crt \ -out class3/cacert.req ``` 4. Sign a new certificate with the Root CA key and use the configuration file for openssl. ``` cd /etc/ssl openssl ca \ -config sign_class3_ca.cnf \ -in class3/cacert.req \ -out class3/cacert_2021.crt ``` 5. Verify that the new certificate in `class3/cacert_2021.crt` is sufficiently similar to the original certificate: ``` cd /etc/ssl diff -urw <(openssl x509 -in class3/cacert.crt -noout -text) \ <(openssl x509 -in class3/cacert_2021.crt -noout -text) | \ less ``` The following fields MUST have changed: * Serial Number * Validity fields * Not Before * Not After * Signature value All other fields MUST not have changed. 6. Copy the new certificate to a backup medium (USB flash drive/disk) to make it available for later rollout ``` cp /etc/ssl/class3/cacert_2021.crt | tar x /mnt/usbdisk/resign_class3_2021 ``` ## Prepare deployment of the new certificate The deployment requires changes in several places. The certificate is required in several forms: ``` cd /mnt/usbdisk/resign_class3_2021 openssl x509 -in class3/cacert_2021.crt -outform der -out class3_2021.der openssl x509 -in class3/cacert_2021.crt -text -out class3_2021.txt ``` as well as the fingerprints: ``` cd /mnt/usbdisk/resign_class3_2021 for md in sha1 sha256 sha384 sha512; do openssl x509 -fingerprint -in class3/cacert_2021.crt -$md -noout done > class3_fingerprints.txt ``` ## Deployment of the new certificate The deployment of the new certificate requires a visit to the data center to switch the existing certificate on the signer for the new one. All changes to the software, download locations and the signer should be performed in a single downtime. Move the new certificate to its target position on the signer: ``` cd /etc/ssl mv class3/cacert_2021.crt class3/cacert.crt ``` The various certificate forms as well as the fingerprints need to be deployed on at least the following systems: - webdb (used in various places including www/certs in the document root directory as well as in email and page templates) - cats (used for client certificate authentication) - other infrastrucuture hosts Changes to other artifacts (i.e. installers and operating system packages) need to be coordinated with the responsible teams/communities.