Version 11 (modified by 11 years ago) ( diff ) | ,
---|
Some of your web sites tell me that your x509 (aka SSL) certificate was signed by an unknown entity. What can I do to get to know you?
An X.509 certificate is a file installed on our web servers that is designed to prove that the web site your are visiting really is run by May First/People Link. The X.509 certificate is used when you visit a site that starts with https instead of http.
This step is important because it is possible to type in one of our web addresses into your browser, but be re-directed to another web site that looks like our web site, but isn't. If you enter your username and password, this information can then be stolen.
When you visit a site that starts with https, your web browser requests the X.509 certificate. Every X.509 certificate is signed by a "certificate authority." This signature says: The Certificate Authority called "ABC" (or whatever the name of the Certificate Authority is) assures you that the web site your are visiting really is run by Organization XYZ.
Your web browser comes pre-configured to trust certain corporate certificate authorities, like Thawte and Verisign.
We pay money to Certificate Authorities (such as Thawte) to have them verify our identity and sign our certificates.
We are beginning to take a new track. Rather than paying money to corporation to prove that we are who we say we are, we are using our own Certificate Authority. We use this certificate authority to certify the identity of some of our web sites, like the OpenPGP keyserver https://keys.mayfirst.org.
The catch: You have to install our Certificate Authority in your web browser and other tools. You can do that by fetching mfpl.crt and following the appropriate instructions for your browser or other tool.
Verifying the certificate
If you'd like to confirm that this certificate is the proper certificate (and you have the gpg key for Jamie), you can download our respective asc files (from dkg, from jamie) and run:
gpg --verify mfpl.crt.jamie.asc mfpl.crt
You should see output like:
gpg: Signature made Tue 11 Mar 2008 08:23:00 PM EDT using DSA key ID 76CC057D gpg: Good signature from "Jamie McClelland <jamie@mayfirst.org>" gpg: aka "Jamie McClelland <jm@mayfirst.org>"
installing the MF/PL CA in different software
Installing in Firefox or Iceweasel
If you are running Firefox, it will take you through the steps of accepting it automatically. Click the link that says mfpl.crt below, then scroll down and click "original format" where it says "Download in other formats." If Firefox prompts you to save the file, save it to your hard drive. Then click File -> Open and open the file. Follow the prompts to install it.
Installing in Internet Explorer
If you are running Internet Explorer, download and save the file. Then:
- Click Tools -> Internet Options
- Click Content -> Certificates
- Click Trusted Root Certificates
- Click Import
installing in debian and debian/derived OSes
If you run the debian OS (or some debian-derived OS like Mint or Ubuntu), and you want to grant this CA authority for many of the standard tools in debian, you can add it by putting the certificate as a file in /usr/local/share/ca-certificates/
and then running update-ca-certificates
. you'll need to have superuser privileges to do both of these steps.
installing in GnuPG for keyserver connectivity
You might be interested in using this certificate authority to verify connections to https://keys.mayfirst.org when fetching key updates.
To do this, you'll want to save the certificate to some local file (in this example, it's in /path/to/mfpl.crt
-- you'll need to adjust to match where you stored the file), and you need to make sure that gnupg-curl is installed.
Add the following lines to ~/.gnupg/gpg.conf
:
keyserver hkps://keys.mayfirst.org keyserver-options ca-cert-file=/path/to/mfpl.crt
Deleting certificates
In Firefox/Iceweasel
- Click Edit -> Preferences
- Click Advanced -> Encryption
- Click View Certificates -> Authorities
- Scroll down to May First/People Link
- Find the old certificate:
- Click on each certificate listed and then click view
- Find the one with the serial number matching the serial number of the certificate you want to remove
- Click OK
- Then, select the certificate and click delete
In debian or derived OSes
As the superuser:
- remove the file from
/usr/local/share/ca-certificates/
- run
update-ca-certificates
History
Certificate updates
- 2008-05-24 We generated a new certificate due to the Debian openssl vulnerability. Please remove our old certificate and replace it with the attached one. The old certificate has the serial number 00:DC:04:BC:5B:7E:E0:73:FA.
- 2009-01-12 We have generated a new certificate due to weaknesses in the method we used to sign our previous certificate. The old certificate has the serial number: 00:D2:CB:A4:EB:C6:65:92:DF.
- 2010-11 discussion about yet another certificate authority overhaul begins...
Attachments (3)
-
mfpl.crt
(1.3 KB
) - added by 15 years ago.
Replacment cert signed with sha1
-
mfpl.crt.dkg.asc
(827 bytes
) - added by 15 years ago.
dkg's signature on new MFPL Root CA certificate
-
mfpl.crt.jamie.asc
(836 bytes
) - added by 13 years ago.
Replacement signature of new sha1 cert
Download all attachments as: .zip