View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001499 | Main CAcert Website | certificate issuing | public | 2020-12-25 08:55 | 2023-07-09 14:32 |
| Reporter | jandd | Assigned To | Ted | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | closed | Resolution | fixed | ||
| Platform | Main CAcert Website | OS | N/A | OS Version | stable |
| Summary | 0001499: Resign class3 CA certificate before May 2021 | ||||
| Description | The current class3 CA certificate expires in May 2021. It should be renewed before expiry. | ||||
| Additional Information | instructions for renewal an a matching OpenSSL configuration file are attached to this ticket. Additional issues should be filed for adapting WebDB, Mail templates, marketing material, monitoring and other places. The signer has openssl 0.9.8o and tests should be performed using an equally old version. | ||||
| Tags | certificates, signer | ||||
| Attached Files | README.md (11,968 bytes)
# Resigning of CAcert class3 certificate
## Rationale
The certificate with Subject "O=CAcert Inc., OU=http://www.CAcert.org,
CN=CAcert Class 3 Root" expires on May 20th 2021. A new version needs to be
signed by the CAcert root CA before the expiry date. It would be a good idea to
perform the signing a few months before the expiry date to have enough time to
update the fingerprints and download files in advance.
## Original certificate
The original certificate has the following parameters:
```
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14 (0xe)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org
Validity
Not Before: May 23 17:48:02 2011 GMT
Not After : May 20 17:48:02 2021 GMT
Subject: O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:
dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:
89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:
24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8:
c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa:
51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44:
8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34:
29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98:
65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0:
ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e:
97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4:
cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6:
85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72:
35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e:
4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e:
0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:
2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:
27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:
5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:
cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11:
36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3:
d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70:
40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a:
e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a:
df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20:
2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97:
4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1:
ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48:
00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a:
25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11:
c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91:
99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:
8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:
74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:
05:fb:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A
X509v3 Basic Constraints: critical
CA:TRUE
Authority Information Access:
OCSP - URI:http://ocsp.CAcert.org/
CA Issuers - URI:http://www.CAcert.org/ca.crt
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.18506
CPS: http://www.CAcert.org/index.php?id=10
Netscape CA Policy Url:
http://www.CAcert.org/index.php?id=10
Netscape Comment:
To get your own certificate for FREE, go to http://www.CAcert.org
X509v3 Authority Key Identifier:
keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
Signature Algorithm: sha256WithRSAEncryption
5a:90:16:d0:36:23:56:64:95:89:bc:8f:ac:a4:20:c9:26:8a:
a9:f3:54:e4:40:18:3f:4a:cb:43:c6:9b:76:09:e6:ca:54:a7:
8c:94:0b:92:68:d6:59:bb:17:97:7b:69:ea:ad:d4:4c:e1:29:
5b:28:15:8f:dd:19:f4:95:59:27:97:18:db:8f:09:b9:7d:78:
7a:c8:b0:42:56:b5:ea:eb:5e:b1:26:d0:97:13:be:05:1c:86:
e1:34:05:15:b1:06:bd:da:3c:d0:13:63:84:6d:35:94:d0:3e:
99:82:18:a1:fa:3f:9c:37:47:85:8a:e0:ee:73:78:82:d4:6b:
99:31:bf:d9:c3:6d:40:5d:b9:15:c7:36:78:8a:96:8b:d1:84:
20:b1:2b:75:3f:6d:a2:a5:be:bd:e8:e2:e4:ad:44:5c:b6:06:
36:70:74:b8:a4:8e:b6:56:94:60:93:02:7f:2f:0d:a7:f8:2f:
6f:b6:e9:28:cc:c8:6b:94:f4:93:03:43:a1:34:41:a2:1a:9d:
a1:46:95:9a:86:21:be:1c:67:08:61:f0:15:f6:fe:e8:83:77:
4e:f5:39:d2:d1:70:db:6e:4d:51:a9:73:e9:73:f0:ed:ac:95:
b3:99:93:74:3b:82:88:c7:43:ad:2c:92:56:1b:dc:e9:f4:9a:
c9:c8:ee:94:48:81:58:81:aa:f4:53:c1:c7:1e:84:dc:72:d8:
7e:f2:f2:62:af:3e:c0:c3:80:e5:0a:e8:e8:db:b3:a8:22:4b:
20:dc:ec:e0:5f:f0:e4:bd:66:25:d0:9f:04:32:55:e8:1f:48:
93:bf:7a:9c:ae:84:08:b4:e5:05:b2:08:a5:6e:34:5b:6b:ce:
90:e6:42:e1:9c:2c:63:75:6d:82:6d:b3:52:a7:cb:e5:66:7d:
2e:17:17:7c:b2:9c:50:71:7b:34:08:89:f5:f6:eb:dc:40:8a:
38:67:8b:90:fb:4d:0b:83:dc:48:f5:81:55:f5:2d:8c:6d:26:
a7:94:d5:25:bd:b0:78:52:f1:e4:7a:5d:29:e9:b1:ad:02:6a:
75:74:90:52:91:93:85:9b:46:7a:7a:4f:86:ef:0e:d1:d5:a4:
e2:7e:31:89:ad:dc:34:df:63:be:54:82:b0:0a:0b:bc:0d:db:
24:47:4c:34:07:af:32:75:99:f4:01:39:cc:9e:be:44:c6:f7:
16:91:90:6d:0a:04:1a:d8:db:d2:2a:b7:10:9e:56:aa:a3:d8:
9c:10:5e:17:7a:f2:3f:55:37:b3:95:bd:4b:8d:83:16:1d:57:
79:47:a0:b6:a7:8c:13:c9:50:48:33:c8:63:ac:b7:0a:88:28:
45:e3:71:91:26:d9:de:ef
```
```
-----BEGIN CERTIFICATE-----
MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS
BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G
A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw
Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl
cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH
AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI
AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw
UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1
MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ
vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP
3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU
0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69
6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa
hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp
9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl
0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8
spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt
Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0
ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2
p4wTyVBIM8hjrLcKiChF43GRJtne7w==
-----END CERTIFICATE-----
```
## Process
The signer has openssl 0.9.8o-4squeeze11 installed. The re-signing procedure
needs to be compatible with that version of openssl.
1. Put the content of this repository on a removable device (i.e. USB disk
mounted at `/mnt/usbdisk` on your workstation):
```
cp README.md sign_class3_ca.cnf /mnt/usbdisk/resign_class3_2021
```
2. Backup original the class 3 certificate
```
tar cf /etc/ssl/backup-$(date +%Y%m%d-%H%M%S).tar -C /etc/ssl \
class3/cacert.crt
```
2. Copy [sign_class3_ca.cnf](sign_class3_ca.cnf) to the signer's `/etc/ssl`
directory (from USB disk mounted at /mnt/usbdisk)
```
cp /mnt/usbdisk/resign_class3_2021/sign_class3_ca.cnf /etc/ssl/
```
3. Generate a CSR from the existing certificate with the existing private key.
This is important to keep the encoding of the Subject DN intact.
```
cd /etc/ssl
openssl x509 \
-x509toreq \
-signkey class3/cacert.pem \
-in class3/cacert.crt \
-out class3/cacert.req
```
4. Sign a new certificate with the Root CA key and use the configuration file
for openssl.
```
cd /etc/ssl
openssl ca \
-config sign_class3_ca.cnf \
-in class3/cacert.req \
-out class3/cacert_2021.crt
```
5. Verify that the new certificate in `class3/cacert_2021.crt` is sufficiently
similar to the original certificate:
```
cd /etc/ssl
diff -urw <(openssl x509 -in class3/cacert.crt -noout -text) \
<(openssl x509 -in class3/cacert_2021.crt -noout -text) | \
less
```
The following fields MUST have changed:
* Serial Number
* Validity fields
* Not Before
* Not After
* Signature value
All other fields MUST not have changed.
6. Copy the new certificate to a backup medium (USB flash drive/disk) to make
it available for later rollout
```
cp /etc/ssl/class3/cacert_2021.crt | tar x /mnt/usbdisk/resign_class3_2021
```
## Prepare deployment of the new certificate
The deployment requires changes in several places. The certificate is required
in several forms:
```
cd /mnt/usbdisk/resign_class3_2021
openssl x509 -in class3/cacert_2021.crt -outform der -out class3_2021.der
openssl x509 -in class3/cacert_2021.crt -text -out class3_2021.txt
```
as well as the fingerprints:
```
cd /mnt/usbdisk/resign_class3_2021
for md in sha1 sha256 sha384 sha512; do
openssl x509 -fingerprint -in class3/cacert_2021.crt -$md -noout
done > class3_fingerprints.txt
```
## Deployment of the new certificate
The deployment of the new certificate requires a visit to the data center to
switch the existing certificate on the signer for the new one. All changes to
the software, download locations and the signer should be performed in a single
downtime.
Move the new certificate to its target position on the signer:
```
cd /etc/ssl
mv class3/cacert_2021.crt class3/cacert.crt
```
The various certificate forms as well as the fingerprints need to be deployed
on at least the following systems:
- webdb (used in various places including www/certs in the document root
directory as well as in email and page templates)
- cats (used for client certificate authentication)
- other infrastrucuture hosts
Changes to other artifacts (i.e. installers and operating system packages) need
to be coordinated with the responsible teams/communities.
sign_class3_ca.cnf (1,933 bytes)
oid_section = cacert_oids [ ca ] default_ca = CA_root [ CA_root ] dir = CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.crt # The CA certificate serial = $dir/serial # The current serial number private_key = $dir/cacert.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = sub_ca_ext # The extentions to add to the cert default_days = 3650 # how long to certify for default_md = sha256 # which md to use. preserve = yes # keep passed DN ordering policy = policy_sub_ca unique_subject = no create_serial = yes [ cacert_oids ] # see https://wiki.cacert.org/OidAllocation and # http://oid-info.com/get/1.3.6.1.4.1.18506 cacert_base_oid = 1.3.6.1.4.1.18506 [ policy_sub_ca ] organizationName = optional organizationalUnitName = optional commonName = optional [ sub_ca_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical, CA:true authorityInfoAccess = OCSP;URI:http://ocsp.CAcert.org/,caIssuers;URI:http://www.CAcert.org/ca.crt certificatePolicies = @polsect nsCaPolicyUrl = http://www.CAcert.org/index.php?id=10 nsComment = "To get your own certificate for FREE, go to http://www.CAcert.org" [ polsect ] CPS = "http://www.CAcert.org/index.php?id=10" policyIdentifier = cacert_base_oid | ||||
| Reviewed by | egal | ||||
| Test Instructions | Apply the described procedures on a test system. | ||||
|
|
please review the attached README and openssl configuration |
|
|
The process could be processed as described, but with the following change: No files should be copied TO the signer machine. Therefore: The existing signature-config should be copied on the signer to the new name and modified to match the content the config-attached to this bug. |
|
|
The new certificate was created during the visit at BIT datacenter on 2021-04-19. It's now in testing (e.g. installed) on our (internal) environment/servers. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-12-25 08:55 | jandd | New Issue | |
| 2020-12-25 08:55 | jandd | Tag Attached: certificates | |
| 2020-12-25 08:55 | jandd | Tag Attached: signer | |
| 2020-12-25 08:55 | jandd | File Added: README.md | |
| 2020-12-25 08:55 | jandd | File Added: sign_class3_ca.cnf | |
| 2021-01-31 11:26 | jandd | Assigned To | => Ted |
| 2021-01-31 11:26 | jandd | Status | new => needs review & testing |
| 2021-01-31 11:26 | jandd | Note Added: 0005948 | |
| 2021-04-17 18:08 | egal | Note Added: 0005985 | |
| 2021-04-17 18:09 | egal | Reviewed by | => egal |
| 2021-04-17 18:11 | egal | Status | needs review & testing => needs review |
| 2021-04-25 11:12 | egal | Note Added: 0005986 | |
| 2021-04-25 11:15 | egal | Status | needs review => solved? |
| 2021-04-25 11:15 | egal | Resolution | open => fixed |
| 2023-07-09 14:32 | jandd | Status | solved? => closed |
