View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000824||Main CAcert Website||organisational section||public||2010-07-04 08:34||2015-03-10 20:34|
|Product Version||2010 Q3|
|Target Version||2014 Q3||Fixed in Version||2014 Q4|
|Summary||0000824: Organisation User Certificates: Need UI improvement for proper production usage|
|Description||I, the poster of this bug requested changement of the Orga User Page to 2 ways of user cert creation - so it permits legally correct cert issuance for our organisation users.|
The Starting point of the discussion is:
There is a patch proposed be my waiting for testing. (attached.)
|Tags||No tags attached.|
|related to||0000363||closed||Organisational Client Certificate CSRs|
|related to||0000790||closed||NEOatNHNG||Creating organisation client certs by pasted CSR|
|related to||0000847||needs feedback||Key stength is not available for creating client certificate|
|related to||0001205||confirmed||Refactor certificate creation routines into /includes/notary.inc.php|
|related to||0001250||new||Make sure that a organisation certificate is only issued for the correct organisation|
|related to||0001251||new||have the possibility to push a file with multiple client csr requests to the Organisation Section|
|related to||0001252||new||have the possibility to push a file with email address to the Organisation Section to revoke the certificate related to the file|
16.php.proposal2.patch (5,797 bytes)
--- cacert/pages/account/16.php 2010-03-21 11:38:14.483665875 +0100 +++ cacert-old/pages/account/16.php 2008-09-03 20:44:17.000000000 +0200 @@ -14,54 +14,13 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - - Description: - This page represents the view of organisation admins when they want to send - and / or create new signing requests. */ include_once("../includes/shutdown.php"); ?> - -<? -/* - Text originating from 3.php - the (personal) Client Certificate requesting page - -> TODO fix translations to lookup for fixed "CAcert Certif*i*cate" string in translations -*/ -?> -<h3><?=_("CAcert Certificate Acceptable Use Policy")?></h3> -<p><?=_("Once you decide to subscribe for an SSL Server Certificate you will need to complete this agreement. Please read it carefully. Your Certificate Request can only be processed with your acceptance and understanding of this agreement.")?></p> - -<p><?=_("I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to CAcert Inc. to apply for an Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.")?></p> - -<p><?=_("CAcert Inc.'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Server Certificate in accordance with CAcert Inc.'s CPS and supporting documentation published at")?> <a href="http://www.cacert.org/policy/">http://www.cacert.org/policy/</a></p> - -<p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. (TO BE DISCUSSED ->) The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p> - -<?/* Additional (new) text as reminder and very short help for org sysadmins */?> -<h4><?=_("Reminder for Organisation Administrators")?></h4> -<p><?=_("Organisation Assurance is still in early stages - as organisation administrator you are the bridge between your Organisation and CAcert. You are also in between CAcert's policies and local data protection acts. The community is trying to solve the issues to make life easier for you - until policies are more precise: Stay informed on your local law and know your rights both at CAcert policy and local data protection act (DPA) level.")?></p> - -<p><?=_("Inform yourself on how local DPA may be affecting the way, if you as Org-Admin, or the requesting person have to generate private keys or not - if the later one, you only need a CSR from your requestor. Some may also have a paper reglementing who has to do backups of keypairs. - Ask for that.")?></p> - -<h4><?=_("At last")?></h4> -<p><?=_("Please don't send in a signing request for your organisation if you have doubt's about it's credibility. In case e.g. you are being forced by your organisation to request an abusive certificate or if you have serious doubts - unresolvable with your Organisation: File an arbitration! Your organisation has also signed the Organisation Assurance Policy and has to follow CAcert arbitration as well.")?></p> - -<h4><?=_("Method A: Paste a CSR")?></h4> -<form method="post" action="account.php"> -<input type="radio" name="rootcert" value="1" checked="checked"> <?=_("Sign by class 1 root certificate")?><br> -<input type="radio" name="rootcert" value="2"> <?=_("Sign by class 3 root certificate")?><br> -<p><?=_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people")?></p> -<p><?=_("Paste your CSR below...")?></p> -<textarea name="CSR" cols="80" rows="15"></textarea><br> -<input type="submit" name="process" value="<?=_("Submit")?>"> -<input type="hidden" name="oldid" value="<?=$id?>"> -</form> - -<h4><?=_("Method B: Let your browser generate the key")?></h4> <form method="post" action="account.php"> -<table align="left" valign="left" border="0" cellspacing="0" cellpadding="0" class="wrapper"> +<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper"> <tr> - <td colspan="2" class="title"><?=_("New Organisation Client Certificate")?></td> + <td colspan="2" class="title"><?=_("New Client Certificate")?></td> </tr> <tr> <td class="DataTD"><?=_("Add")?></td> @@ -87,7 +46,7 @@ </tr> <tr> <td class="DataTD" colspan="2" align="left"> - <input type="radio" name="rootcert" value="1" checked="checked"> <?=_("Sign by class 1 root certificate")?><br> + <input type="radio" name="rootcert" value="1" checked> <?=_("Sign by class 1 root certificate")?><br> <input type="radio" name="rootcert" value="2"> <?=_("Sign by class 3 root certificate")?><br> <?=str_replace("\n", "<br>\n", wordwrap(_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people"), 60))?> </td>
16.php.proposal2.patch (5,797 bytes)
Thanks a lot for the patch!
I have deployed the patch on our testsystem on https://www.test2.cacert.at/ now, where it can be tested. (Create a new account there without using real secrets there)
I noticed a few problems with the patch:
The patch goes into the wrong direction. It undoes the necessary changes instead of doing them.
It contains the comments
'-> TODO fix translations to lookup for fixed "CAcert Certif*i*cate" string in translations'
(TO BE DISCUSSED ->) The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.
Please discuss/solve them first.
Sorry I can't login to the server as it doesn't accept my mail address - i.e. the test system can't send the verification mail... :-/
How does it undo the changes?
||Mathieu, I think all Phillip wants to say is that you issued the diff statement wrong, i.e. "diff <new> <old>", thus the resulting patch REMOVES your changes from your file. We need the opposite patch to add your changes to the OLD version.|
After a short review, the patch looks incomplete to me. Mathieu added a 2nd form to the certificate site, which enables an user to submit an CSR.
But the code that picks up that manually submitted CSR and superseeds the browser create key code is IMHO missing. I can not even see that the code picks up the submitted CSR POST variable.
to add a csr form isn't that a big problem.
but the main problem is, that the csr content needs to be analyzed and processed within /includes/account.php
A similiar procedure for server csr's can be found in section oldid=10 and 11
but org client certs is another type of cert, so this needs deeper analyse and deployment.
the next thing is, before pasting a CSR into the form, the OrgAdmin needs manual checking the CSR that he has received from an org user about all Org specific settings that needs to be included into the CSR, that is:
1. all added email addresses ok that corrosponds to the org enabled domains?
4. codesigning flag
5. O (organisation)
6. L (city)
7. ST (state)
8. C (country code)
One thing that cannot be checked, which of the certs should be used? class1? class3?
all these infos also needs to be extracted from the csr, to be verfied against the orgadmin and org infos before they can be processed
currently there is no code yet available, that can be recycled for adding a client cert CSR request handling. CSR structure and fields needs to be analysed. openssl check routine needs deployed and much more
16.php (3,838 bytes)
17.php (7,046 bytes)
19.php (4,206 bytes)
account.php (122,221 bytes)
there are 4 files modified to add a csr paste option
and 3 files unter /pages/account/
16.php, 17.php and 19.php
for installation on a local testserver, for review and testing, if the
csr paste will do anything
copied parts from the client cert coding, merged with the org email cert coding.
I've tried an openssl generate priv key, pasted the resulting csr and got a signed key. but I currently cannot test the priv/pub keys atm
maybe someone other will give it a try ?
generate private key with openssl:
openssl genrsa 2048 > www.yourdomain.com.key
generate signing request:
openssl req –new –key www.yourdomain.com.key –out www.yourdomain.com.csr
results in signed key - copy & paste
save to www.yourdomain.com.crt
Verifying a certificate and key are a pair (Extra)
The easy way I have found to do this is to try to export them
openssl pkcs12 –export –in www.yourdomain.com.crt –inkey www.yourdomain.com.key –out www.yourdomain.com.p12
(running this command works, importing the key into FF fails, at least by me, also with variations with -name "<displayname>" and w/ pwd, w/o pwd failed)
Import separate certificate and private key into microsoft certificate store
So microsoft handles certs and keys differently than openssl, in that microsoft packs the key and cert into a single file, .pfx (pkcs12 format).
To pack a key and cert into the same file so that microsoft knows about the private key that is associated with the cert, run the following command
openssl pkcs12 -export -out keycert.pfx -inkey private.key -in certificate.crt
import into ie client cert store works with success
source from: http://knol.google.com/k/openssl-creating-your-own-ca-requesting-and-signing-certs-and-import-them-into#
Checked in changes to git branch bug-824, merged with master branch and installed on testserver.
First review done, removed changes not relevant for this bug.
Did some testing
- Created CSR with:
openssl req -newkey rsa:2048 -keyout autobuild.key -subj "/C=DE/O=convey Information Systems GmbH/OU=Software Development/CN=convey Automatic Build Server/emailAddressfirstname.lastname@example.org" -out autobuild.csr -config openssl.cnf
- Used the result as CSR for "Org Client Certs->New"
- Set other fields of the form:
- Email: email@example.com
- Name: Dummyname
- Department: Test-Abteilung
Certificate created with subject:
C=DE, L=Munich, O=convey Information Systems GmbH, OU=Test-Abteilung, CN=Dummyname/emailAddressfirstname.lastname@example.org
Certificate and key could be used to sign a message with openssl smime ==> certificate and key do match
==> Basic functionality is OK
- Enable certificate login... IMHO does not make sense with Org certs (probably won't work)
- After the certificate was created another click to "Org Client Certs->New" did show the form pre-filled with an additional email line (as if "Another Email") was pressed. IMHO pre-filling the form does not make sense. Maybe the department, but nothing more!
==> Some fixes in details are needed
case study only
for use on local developers image only
NOT TO DEPLOY TO TESTSERVER !!!
||closed in the context of bug 790 https://bugs.cacert.org/view.php?id=790|
|2010-07-04 08:34||MathieuSimon||New Issue|
|2010-07-04 08:34||MathieuSimon||File Added: 16.php.proposal2.patch|
|2010-07-06 10:43||Sourcerer||Note Added: 0001586|
|2010-07-06 10:48||Sourcerer||Status||new => @30@|
|2010-07-06 19:44||MathieuSimon||Note Added: 0001587|
|2010-08-04 11:36||edgarwahn||Note Added: 0001614|
|2010-08-04 12:27||edgarwahn||Note Added: 0001616|
|2010-08-04 12:27||edgarwahn||Assigned To||=> Sourcerer|
|2010-08-04 12:27||edgarwahn||Status||@30@ => needs feedback|
|2011-05-15 08:50||law||Relationship added||related to 0000363|
|2011-05-15 18:06||Ted||Relationship added||related to 0000790|
|2011-09-01 14:13||Uli60||File Added: 16.php|
|2011-09-01 14:25||Uli60||Note Added: 0002399|
|2011-09-01 14:27||Uli60||Note Edited: 0002399|
|2011-09-02 11:55||Uli60||File Deleted: 16.php|
|2011-09-02 11:56||Uli60||File Added: 16.php|
|2011-09-02 11:56||Uli60||File Added: 17.php|
|2011-09-02 11:57||Uli60||File Added: 19.php|
|2011-09-02 11:57||Uli60||File Added: account.php|
|2011-09-02 12:04||Uli60||Note Added: 0002401|
|2011-09-02 12:04||Uli60||Assigned To||Sourcerer => Uli60|
|2011-09-02 12:04||Uli60||Status||needs feedback => fix available|
|2011-09-05 09:58||Uli60||Note Added: 0002404|
|2011-09-05 10:12||Uli60||Note Edited: 0002404|
|2011-09-05 23:25||Uli60||Note Edited: 0002404|
|2011-09-06 16:17||Ted||Assigned To||Uli60 => Ted|
|2011-09-06 20:50||Ted||Source_changeset_attached||=> cacert-devel master 7202f2bc|
|2011-09-06 20:50||Ted||Source_changeset_attached||=> cacert-devel master cca380ee|
|2011-09-06 20:52||Ted||Note Added: 0002411|
|2011-09-06 20:52||Ted||Status||fix available => needs review & testing|
|2011-09-06 20:52||Ted||Reviewed by||=> Ted|
|2011-09-06 20:53||Ted||Note Edited: 0002411|
|2011-09-06 21:28||Ted||Note Added: 0002412|
|2011-09-15 15:31||Uli60||Relationship added||related to 0000847|
|2011-09-27 22:56||Uli60||Note Added: 0002542|
|2011-09-27 22:56||Uli60||Assigned To||Ted => Uli60|
|2011-09-27 22:56||Uli60||Status||needs review & testing => needs work|
|2013-08-20 16:41||Uli60||Relationship added||related to 0001205|
|2014-02-22 08:00||INOPIAE||Relationship added||related to 0001250|
|2014-02-22 08:09||INOPIAE||Relationship added||related to 0001251|
|2014-02-22 08:23||INOPIAE||Relationship added||related to 0001252|
|2015-03-10 20:33||INOPIAE||Product Version||=> 2010 Q3|
|2015-03-10 20:33||INOPIAE||Fixed in Version||=> 2014 Q4|
|2015-03-10 20:33||INOPIAE||Target Version||=> 2014 Q3|
|2015-03-10 20:34||INOPIAE||Note Added: 0005355|
|2015-03-10 20:34||INOPIAE||Status||needs work => closed|
|2015-03-10 20:34||INOPIAE||Resolution||open => fixed|