View Issue Details

IDProjectCategoryView StatusLast Update
0001499Main CAcert Websitecertificate issuingpublic2021-04-25 11:15
Reporterjandd Assigned ToTed  
PrioritynormalSeverityfeatureReproducibilityN/A
Status solved?Resolutionfixed 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Summary0001499: Resign class3 CA certificate before May 2021
DescriptionThe current class3 CA certificate expires in May 2021. It should be renewed before expiry.
Additional Informationinstructions for renewal an a matching OpenSSL configuration file are attached to this ticket. Additional issues should be filed for adapting WebDB, Mail templates, marketing material, monitoring and other places.

The signer has openssl 0.9.8o and tests should be performed using an equally old version.
Tagscertificates, signer
Reviewed byegal
Test InstructionsApply the described procedures on a test system.

Activities

jandd

2020-12-25 08:55

administrator  

README.md (11,968 bytes)   
# Resigning of CAcert class3 certificate

## Rationale

The certificate with Subject "O=CAcert Inc., OU=http://www.CAcert.org,
CN=CAcert Class 3 Root" expires on May 20th 2021. A new version needs to be
signed by the CAcert root CA before the expiry date. It would be a good idea to
perform the signing a few months before the expiry date to have enough time to
update the fingerprints and download files in advance.

## Original certificate

The original certificate has the following parameters:

```
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14 (0xe)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org
        Validity
            Not Before: May 23 17:48:02 2011 GMT
            Not After : May 20 17:48:02 2021 GMT
        Subject: O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:
                    dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:
                    89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:
                    24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8:
                    c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa:
                    51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44:
                    8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34:
                    29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98:
                    65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0:
                    ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e:
                    97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4:
                    cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6:
                    85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72:
                    35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e:
                    4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e:
                    0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:
                    2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:
                    27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:
                    5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:
                    cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11:
                    36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3:
                    d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70:
                    40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a:
                    e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a:
                    df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20:
                    2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97:
                    4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1:
                    ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48:
                    00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a:
                    25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11:
                    c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91:
                    99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:
                    8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:
                    74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:
                    05:fb:e9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A
            X509v3 Basic Constraints: critical
                CA:TRUE
            Authority Information Access: 
                OCSP - URI:http://ocsp.CAcert.org/
                CA Issuers - URI:http://www.CAcert.org/ca.crt

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.18506
                  CPS: http://www.CAcert.org/index.php?id=10

            Netscape CA Policy Url: 
                http://www.CAcert.org/index.php?id=10
            Netscape Comment: 
                To get your own certificate for FREE, go to http://www.CAcert.org
            X509v3 Authority Key Identifier: 
                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1

    Signature Algorithm: sha256WithRSAEncryption
         5a:90:16:d0:36:23:56:64:95:89:bc:8f:ac:a4:20:c9:26:8a:
         a9:f3:54:e4:40:18:3f:4a:cb:43:c6:9b:76:09:e6:ca:54:a7:
         8c:94:0b:92:68:d6:59:bb:17:97:7b:69:ea:ad:d4:4c:e1:29:
         5b:28:15:8f:dd:19:f4:95:59:27:97:18:db:8f:09:b9:7d:78:
         7a:c8:b0:42:56:b5:ea:eb:5e:b1:26:d0:97:13:be:05:1c:86:
         e1:34:05:15:b1:06:bd:da:3c:d0:13:63:84:6d:35:94:d0:3e:
         99:82:18:a1:fa:3f:9c:37:47:85:8a:e0:ee:73:78:82:d4:6b:
         99:31:bf:d9:c3:6d:40:5d:b9:15:c7:36:78:8a:96:8b:d1:84:
         20:b1:2b:75:3f:6d:a2:a5:be:bd:e8:e2:e4:ad:44:5c:b6:06:
         36:70:74:b8:a4:8e:b6:56:94:60:93:02:7f:2f:0d:a7:f8:2f:
         6f:b6:e9:28:cc:c8:6b:94:f4:93:03:43:a1:34:41:a2:1a:9d:
         a1:46:95:9a:86:21:be:1c:67:08:61:f0:15:f6:fe:e8:83:77:
         4e:f5:39:d2:d1:70:db:6e:4d:51:a9:73:e9:73:f0:ed:ac:95:
         b3:99:93:74:3b:82:88:c7:43:ad:2c:92:56:1b:dc:e9:f4:9a:
         c9:c8:ee:94:48:81:58:81:aa:f4:53:c1:c7:1e:84:dc:72:d8:
         7e:f2:f2:62:af:3e:c0:c3:80:e5:0a:e8:e8:db:b3:a8:22:4b:
         20:dc:ec:e0:5f:f0:e4:bd:66:25:d0:9f:04:32:55:e8:1f:48:
         93:bf:7a:9c:ae:84:08:b4:e5:05:b2:08:a5:6e:34:5b:6b:ce:
         90:e6:42:e1:9c:2c:63:75:6d:82:6d:b3:52:a7:cb:e5:66:7d:
         2e:17:17:7c:b2:9c:50:71:7b:34:08:89:f5:f6:eb:dc:40:8a:
         38:67:8b:90:fb:4d:0b:83:dc:48:f5:81:55:f5:2d:8c:6d:26:
         a7:94:d5:25:bd:b0:78:52:f1:e4:7a:5d:29:e9:b1:ad:02:6a:
         75:74:90:52:91:93:85:9b:46:7a:7a:4f:86:ef:0e:d1:d5:a4:
         e2:7e:31:89:ad:dc:34:df:63:be:54:82:b0:0a:0b:bc:0d:db:
         24:47:4c:34:07:af:32:75:99:f4:01:39:cc:9e:be:44:c6:f7:
         16:91:90:6d:0a:04:1a:d8:db:d2:2a:b7:10:9e:56:aa:a3:d8:
         9c:10:5e:17:7a:f2:3f:55:37:b3:95:bd:4b:8d:83:16:1d:57:
         79:47:a0:b6:a7:8c:13:c9:50:48:33:c8:63:ac:b7:0a:88:28:
         45:e3:71:91:26:d9:de:ef
```

```
-----BEGIN CERTIFICATE-----
MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS
BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G
A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw
Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl
cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH
AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI
AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw
UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1
MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ
vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP
3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU
0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69
6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa
hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp
9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl
0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8
spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt
Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0
ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2
p4wTyVBIM8hjrLcKiChF43GRJtne7w==
-----END CERTIFICATE-----
```

## Process

The signer has openssl 0.9.8o-4squeeze11 installed. The re-signing procedure
needs to be compatible with that version of openssl.

1. Put the content of this repository on a removable device (i.e. USB disk
   mounted at `/mnt/usbdisk` on your workstation):

   ```
   cp README.md sign_class3_ca.cnf /mnt/usbdisk/resign_class3_2021
   ```

2. Backup original the class 3 certificate

   ```
   tar cf /etc/ssl/backup-$(date +%Y%m%d-%H%M%S).tar -C /etc/ssl \
     class3/cacert.crt
   ```

2. Copy [sign_class3_ca.cnf](sign_class3_ca.cnf) to the signer's `/etc/ssl`
   directory (from USB disk mounted at /mnt/usbdisk)

   ```
   cp /mnt/usbdisk/resign_class3_2021/sign_class3_ca.cnf /etc/ssl/
   ```

3. Generate a CSR from the existing certificate with the existing private key.
   This is important to keep the encoding of the Subject DN intact.

   ```
   cd /etc/ssl
   openssl x509 \
       -x509toreq \
       -signkey class3/cacert.pem \
       -in class3/cacert.crt \
       -out class3/cacert.req
   ```

4. Sign a new certificate with the Root CA key and use the configuration file
   for openssl.

   ```
   cd /etc/ssl
   openssl ca \
       -config sign_class3_ca.cnf \
       -in class3/cacert.req \
       -out class3/cacert_2021.crt
   ```

5. Verify that the new certificate in `class3/cacert_2021.crt` is sufficiently
   similar to the original certificate:

   ```
   cd /etc/ssl
   diff -urw <(openssl x509 -in class3/cacert.crt -noout -text) \
             <(openssl x509 -in class3/cacert_2021.crt -noout -text) | \
   less
   ```

   The following fields MUST have changed:

   * Serial Number
   * Validity fields
     * Not Before
     * Not After
   * Signature value

   All other fields MUST not have changed.

6. Copy the new certificate to a backup medium (USB flash drive/disk) to make
   it available for later rollout

   ```
   cp /etc/ssl/class3/cacert_2021.crt | tar x /mnt/usbdisk/resign_class3_2021
   ```

## Prepare deployment of the new certificate

The deployment requires changes in several places. The certificate is required
in several forms:

```
cd /mnt/usbdisk/resign_class3_2021
openssl x509 -in class3/cacert_2021.crt -outform der -out class3_2021.der
openssl x509 -in class3/cacert_2021.crt -text -out class3_2021.txt
```

as well as the fingerprints:

```
cd /mnt/usbdisk/resign_class3_2021
for md in sha1 sha256 sha384 sha512; do
    openssl x509 -fingerprint -in class3/cacert_2021.crt -$md -noout
done > class3_fingerprints.txt
```

## Deployment of the new certificate

The deployment of the new certificate requires a visit to the data center to
switch the existing certificate on the signer for the new one. All changes to
the software, download locations and the signer should be performed in a single
downtime.

Move the new certificate to its target position on the signer:

```
cd /etc/ssl
mv class3/cacert_2021.crt class3/cacert.crt
```

The various certificate forms as well as the fingerprints need to be deployed
on at least the following systems:

- webdb (used in various places including www/certs in the document root
  directory as well as in email and page templates)
- cats (used for client certificate authentication)
- other infrastrucuture hosts

Changes to other artifacts (i.e. installers and operating system packages) need
to be coordinated with the responsible teams/communities.

README.md (11,968 bytes)   
sign_class3_ca.cnf (1,933 bytes)   
oid_section            = cacert_oids

[ ca ]
default_ca             = CA_root

[ CA_root ]
dir                    = CA                  # Where everything is kept
certs                  = $dir/certs          # Where the issued certs are kept
crl_dir                = $dir/crl            # Where the issued crl are kept
database               = $dir/index.txt      # database index file.
new_certs_dir          = $dir/newcerts       # default place for new certs.
certificate            = $dir/cacert.crt     # The CA certificate
serial                 = $dir/serial         # The current serial number
private_key            = $dir/cacert.pem     # The private key
RANDFILE               = $dir/private/.rand  # private random number file
x509_extensions        = sub_ca_ext          # The extentions to add to the cert
default_days           = 3650                # how long to certify for
default_md             = sha256              # which md to use.
preserve               = yes                 # keep passed DN ordering
policy                 = policy_sub_ca
unique_subject         = no
create_serial          = yes

[ cacert_oids ]
# see https://wiki.cacert.org/OidAllocation and
# http://oid-info.com/get/1.3.6.1.4.1.18506
cacert_base_oid        = 1.3.6.1.4.1.18506

[ policy_sub_ca ]
organizationName       = optional
organizationalUnitName = optional
commonName             = optional

[ sub_ca_ext ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
basicConstraints       = critical, CA:true
authorityInfoAccess    = OCSP;URI:http://ocsp.CAcert.org/,caIssuers;URI:http://www.CAcert.org/ca.crt
certificatePolicies    = @polsect
nsCaPolicyUrl          = http://www.CAcert.org/index.php?id=10
nsComment              = "To get your own certificate for FREE, go to http://www.CAcert.org"

[ polsect ]
CPS                    = "http://www.CAcert.org/index.php?id=10"
policyIdentifier       = cacert_base_oid

sign_class3_ca.cnf (1,933 bytes)   

jandd

2021-01-31 11:26

administrator   ~0005948

please review the attached README and openssl configuration

egal

2021-04-17 18:08

administrator   ~0005985

The process could be processed as described, but with the following change:

No files should be copied TO the signer machine.

Therefore:
The existing signature-config should be copied on the signer to the new name and modified to match the content the config-attached to this bug.

egal

2021-04-25 11:12

administrator   ~0005986

The new certificate was created during the visit at BIT datacenter on 2021-04-19.

It's now in testing (e.g. installed) on our (internal) environment/servers.

Issue History

Date Modified Username Field Change
2020-12-25 08:55 jandd New Issue
2020-12-25 08:55 jandd Tag Attached: certificates
2020-12-25 08:55 jandd Tag Attached: signer
2020-12-25 08:55 jandd File Added: README.md
2020-12-25 08:55 jandd File Added: sign_class3_ca.cnf
2021-01-31 11:26 jandd Assigned To => Ted
2021-01-31 11:26 jandd Status new => needs review & testing
2021-01-31 11:26 jandd Note Added: 0005948
2021-04-17 18:08 egal Note Added: 0005985
2021-04-17 18:09 egal Reviewed by => egal
2021-04-17 18:11 egal Status needs review & testing => needs review
2021-04-25 11:12 egal Note Added: 0005986
2021-04-25 11:15 egal Status needs review => solved?
2021-04-25 11:15 egal Resolution open => fixed