View Issue Details

IDProjectCategoryView StatusLast Update
0000824Main CAcert Websiteorganisational sectionpublic2015-03-10 20:34
ReporterMathieuSimon Assigned ToUli60  
Status closedResolutionfixed 
Product Version2010 Q3 
Target Version2014 Q3Fixed in Version2014 Q4 
Summary0000824: Organisation User Certificates: Need UI improvement for proper production usage
DescriptionI, the poster of this bug requested changement of the Orga User Page to 2 ways of user cert creation - so it permits legally correct cert issuance for our organisation users.

The Starting point of the discussion is:

There is a patch proposed be my waiting for testing. (attached.)

TagsNo tags attached.
Attached Files
16.php.proposal2.patch (5,797 bytes)   
--- cacert/pages/account/16.php	2010-03-21 11:38:14.483665875 +0100
+++ cacert-old/pages/account/16.php	2008-09-03 20:44:17.000000000 +0200
@@ -14,54 +14,13 @@
     You should have received a copy of the GNU General Public License
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-    Description:
-    This page represents the view of organisation admins when they want to send 
-    and / or create new signing requests.
-   Text originating from 3.php - the (personal) Client Certificate requesting page 
-   -> TODO fix translations to lookup for fixed "CAcert Certif*i*cate"  string in translations
-<h3><?=_("CAcert Certificate Acceptable Use Policy")?></h3>
-<p><?=_("Once you decide to subscribe for an SSL Server Certificate you will need to complete this agreement. Please read it carefully. Your Certificate Request can only be processed with your acceptance and understanding of this agreement.")?></p>
-<p><?=_("I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to CAcert Inc. to apply for an Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.")?></p>
-<p><?=_("CAcert Inc.'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Server Certificate in accordance with CAcert Inc.'s CPS and supporting documentation published at")?> <a href=""></a></p>
-<p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. (TO BE DISCUSSED ->) The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p>
-<?/* Additional (new) text as reminder and very short help for org sysadmins */?>
-<h4><?=_("Reminder for Organisation Administrators")?></h4>
-<p><?=_("Organisation Assurance is still in early stages - as organisation administrator you are the bridge between your Organisation and CAcert. You are also in between CAcert's policies and local data protection acts. The community is trying to solve the issues to make life easier for you - until policies are more precise: Stay informed on your local law and know your rights both at CAcert policy and local data protection act (DPA) level.")?></p>
-<p><?=_("Inform yourself on how local DPA may be affecting the way, if you as Org-Admin, or the requesting person have to generate private keys or not - if the later one, you only need a CSR from your requestor. Some may also have a paper reglementing who has to do backups of keypairs. - Ask for that.")?></p>
-<h4><?=_("At last")?></h4>
-<p><?=_("Please don't send in a signing request for your organisation if you have doubt's about it's credibility. In case e.g. you are being forced by your organisation to request an abusive certificate or if you have serious doubts - unresolvable with your Organisation: File an arbitration! Your organisation has also signed the Organisation Assurance Policy and has to follow CAcert arbitration as well.")?></p>
-<h4><?=_("Method A: Paste a CSR")?></h4>
-<form method="post" action="account.php">
-<input type="radio" name="rootcert" value="1" checked="checked"> <?=_("Sign by class 1 root certificate")?><br>
-<input type="radio" name="rootcert" value="2"> <?=_("Sign by class 3 root certificate")?><br>
-<p><?=_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people")?></p>
-<p><?=_("Paste your CSR below...")?></p>
-<textarea name="CSR" cols="80" rows="15"></textarea><br>
-<input type="submit" name="process" value="<?=_("Submit")?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
-<h4><?=_("Method B: Let your browser generate the key")?></h4>
 <form method="post" action="account.php">
-<table align="left" valign="left" border="0" cellspacing="0" cellpadding="0" class="wrapper">
+<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
-    <td colspan="2" class="title"><?=_("New Organisation Client Certificate")?></td>
+    <td colspan="2" class="title"><?=_("New Client Certificate")?></td>
     <td class="DataTD"><?=_("Add")?></td>
@@ -87,7 +46,7 @@
     <td class="DataTD" colspan="2" align="left">
-        <input type="radio" name="rootcert" value="1" checked="checked"> <?=_("Sign by class 1 root certificate")?><br>
+        <input type="radio" name="rootcert" value="1" checked> <?=_("Sign by class 1 root certificate")?><br>
         <input type="radio" name="rootcert" value="2"> <?=_("Sign by class 3 root certificate")?><br>
         <?=str_replace("\n", "<br>\n", wordwrap(_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people"), 60))?>
16.php.proposal2.patch (5,797 bytes)   
16.php (3,838 bytes)
17.php (7,046 bytes)
19.php (4,206 bytes)
account.php (122,221 bytes)
Reviewed byTed
Test Instructions


related to 0000363 closed Organisational Client Certificate CSRs 
related to 0000790 closedNEOatNHNG Creating organisation client certs by pasted CSR 
related to 0000847 needs feedback Key stength is not available for creating client certificate 
related to 0001205 confirmed Refactor certificate creation routines into /includes/ 
related to 0001250 new Make sure that a organisation certificate is only issued for the correct organisation 
related to 0001251 new have the possibility to push a file with multiple client csr requests to the Organisation Section 
related to 0001252 new have the possibility to push a file with email address to the Organisation Section to revoke the certificate related to the file 



2010-07-06 10:43

administrator   ~0001586

Thanks a lot for the patch!

I have deployed the patch on our testsystem on now, where it can be tested. (Create a new account there without using real secrets there)

I noticed a few problems with the patch:

The patch goes into the wrong direction. It undoes the necessary changes instead of doing them.

It contains the comments
'-> TODO fix translations to lookup for fixed "CAcert Certif*i*cate" string in translations'
(TO BE DISCUSSED ->) The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.

Please discuss/solve them first.


2010-07-06 19:44

reporter   ~0001587

Sorry I can't login to the server as it doesn't accept my mail address - i.e. the test system can't send the verification mail... :-/

How does it undo the changes?


2010-08-04 11:36

developer   ~0001614

Mathieu, I think all Phillip wants to say is that you issued the diff statement wrong, i.e. "diff <new> <old>", thus the resulting patch REMOVES your changes from your file. We need the opposite patch to add your changes to the OLD version.


2010-08-04 12:27

developer   ~0001616

After a short review, the patch looks incomplete to me. Mathieu added a 2nd form to the certificate site, which enables an user to submit an CSR.
But the code that picks up that manually submitted CSR and superseeds the browser create key code is IMHO missing. I can not even see that the code picks up the submitted CSR POST variable.


2011-09-01 14:25

updater   ~0002399

Last edited: 2011-09-01 14:27

to add a csr form isn't that a big problem.
but the main problem is, that the csr content needs to be analyzed and processed within /includes/account.php
A similiar procedure for server csr's can be found in section oldid=10 and 11
but org client certs is another type of cert, so this needs deeper analyse and deployment.

the next thing is, before pasting a CSR into the form, the OrgAdmin needs manual checking the CSR that he has received from an org user about all Org specific settings that needs to be included into the CSR, that is:
1. all added email addresses ok that corrosponds to the org enabled domains?
2. name
3. ou
4. codesigning flag
5. O (organisation)
6. L (city)
7. ST (state)
8. C (country code)
One thing that cannot be checked, which of the certs should be used? class1? class3?

all these infos also needs to be extracted from the csr, to be verfied against the orgadmin and org infos before they can be processed

currently there is no code yet available, that can be recycled for adding a client cert CSR request handling. CSR structure and fields needs to be analysed. openssl check routine needs deployed and much more


2011-09-02 12:04

updater   ~0002401

there are 4 files modified to add a csr paste option
and 3 files unter /pages/account/
16.php, 17.php and 19.php

for installation on a local testserver, for review and testing, if the
csr paste will do anything
copied parts from the client cert coding, merged with the org email cert coding.
I've tried an openssl generate priv key, pasted the resulting csr and got a signed key. but I currently cannot test the priv/pub keys atm
maybe someone other will give it a try ?


2011-09-05 09:58

updater   ~0002404

Last edited: 2011-09-05 23:25


generate private key with openssl:
openssl genrsa 2048 >

generate signing request:
openssl req –new –key –out

results in signed key - copy & paste
save to

Verifying a certificate and key are a pair (Extra)
The easy way I have found to do this is to try to export them
openssl pkcs12 –export –in –inkey –out
(running this command works, importing the key into FF fails, at least by me, also with variations with -name "<displayname>" and w/ pwd, w/o pwd failed)

Import separate certificate and private key into microsoft certificate store
So microsoft handles certs and keys differently than openssl, in that microsoft packs the key and cert into a single file, .pfx (pkcs12 format).
To pack a key and cert into the same file so that microsoft knows about the private key that is associated with the cert, run the following command
openssl pkcs12 -export -out keycert.pfx -inkey private.key -in certificate.crt
import into ie client cert store works with success

source from:


2011-09-06 20:52

administrator   ~0002411

Last edited: 2011-09-06 20:53

Checked in changes to git branch bug-824, merged with master branch and installed on testserver.

First review done, removed changes not relevant for this bug.


2011-09-06 21:28

administrator   ~0002412

Did some testing

- Created CSR with:
openssl req -newkey rsa:2048 -keyout autobuild.key -subj "/C=DE/O=convey Information Systems GmbH/OU=Software Development/CN=convey Automatic Build Server/" -out autobuild.csr -config openssl.cnf

- Used the result as CSR for "Org Client Certs->New"
- Set other fields of the form:
  - Email:
  - Name: Dummyname
  - Department: Test-Abteilung

Certificate created with subject:
C=DE, L=Munich, O=convey Information Systems GmbH, OU=Test-Abteilung, CN=Dummyname/

Certificate and key could be used to sign a message with openssl smime ==> certificate and key do match

==> Basic functionality is OK

Some Details:
- Enable certificate login... IMHO does not make sense with Org certs (probably won't work)
- After the certificate was created another click to "Org Client Certs->New" did show the form pre-filled with an additional email line (as if "Another Email") was pressed. IMHO pre-filling the form does not make sense. Maybe the department, but nothing more!

==> Some fixes in details are needed


2011-09-27 22:56

updater   ~0002542

case study only

for use on local developers image only


2015-03-10 20:34

updater   ~0005355

closed in the context of bug 790

Issue History

Date Modified Username Field Change
2010-07-04 08:34 MathieuSimon New Issue
2010-07-04 08:34 MathieuSimon File Added: 16.php.proposal2.patch
2010-07-06 10:43 Sourcerer Note Added: 0001586
2010-07-06 10:48 Sourcerer Status new => @30@
2010-07-06 19:44 MathieuSimon Note Added: 0001587
2010-08-04 11:36 edgarwahn Note Added: 0001614
2010-08-04 12:27 edgarwahn Note Added: 0001616
2010-08-04 12:27 edgarwahn Assigned To => Sourcerer
2010-08-04 12:27 edgarwahn Status @30@ => needs feedback
2011-05-15 08:50 law Relationship added related to 0000363
2011-05-15 18:06 Ted Relationship added related to 0000790
2011-09-01 14:13 Uli60 File Added: 16.php
2011-09-01 14:25 Uli60 Note Added: 0002399
2011-09-01 14:27 Uli60 Note Edited: 0002399
2011-09-02 11:55 Uli60 File Deleted: 16.php
2011-09-02 11:56 Uli60 File Added: 16.php
2011-09-02 11:56 Uli60 File Added: 17.php
2011-09-02 11:57 Uli60 File Added: 19.php
2011-09-02 11:57 Uli60 File Added: account.php
2011-09-02 12:04 Uli60 Note Added: 0002401
2011-09-02 12:04 Uli60 Assigned To Sourcerer => Uli60
2011-09-02 12:04 Uli60 Status needs feedback => fix available
2011-09-05 09:58 Uli60 Note Added: 0002404
2011-09-05 10:12 Uli60 Note Edited: 0002404
2011-09-05 23:25 Uli60 Note Edited: 0002404
2011-09-06 16:17 Ted Assigned To Uli60 => Ted
2011-09-06 20:50 Ted Source_changeset_attached => cacert-devel master 7202f2bc
2011-09-06 20:50 Ted Source_changeset_attached => cacert-devel master cca380ee
2011-09-06 20:52 Ted Note Added: 0002411
2011-09-06 20:52 Ted Status fix available => needs review & testing
2011-09-06 20:52 Ted Reviewed by => Ted
2011-09-06 20:53 Ted Note Edited: 0002411
2011-09-06 21:28 Ted Note Added: 0002412
2011-09-15 15:31 Uli60 Relationship added related to 0000847
2011-09-27 22:56 Uli60 Note Added: 0002542
2011-09-27 22:56 Uli60 Assigned To Ted => Uli60
2011-09-27 22:56 Uli60 Status needs review & testing => needs work
2013-08-20 16:41 Uli60 Relationship added related to 0001205
2014-02-22 08:00 INOPIAE Relationship added related to 0001250
2014-02-22 08:09 INOPIAE Relationship added related to 0001251
2014-02-22 08:23 INOPIAE Relationship added related to 0001252
2015-03-10 20:33 INOPIAE Product Version => 2010 Q3
2015-03-10 20:33 INOPIAE Fixed in Version => 2014 Q4
2015-03-10 20:33 INOPIAE Target Version => 2014 Q3
2015-03-10 20:34 INOPIAE Note Added: 0005355
2015-03-10 20:34 INOPIAE Status needs work => closed
2015-03-10 20:34 INOPIAE Resolution open => fixed