• Roots
• TestNewRootCerts

Welcome to New Root Certificate Task Force

Announcement

• We are pleased to announce that we have set-up the CAcert test systems with samples of CAcert new root certificate model.

• We need volunteers to create client/server certificates and put them on test webservers or send signed emails.

• So we can get some feed back and make some changes before we do the real ceremony of issuing the new CAcert root certificates that are likely to be included in Mozilla Firefox / Thunderbird.

Procedure

• The test1.cacert.at system is TEST only and completely separate from the main www.cacert.org, so you need to create new accounts and add domains & emails.

• Please create 2 accounts and ask support (at) cacert.org to add trust points in one of your CAcert TEST accounts. So, with 2 accounts, you can create both Assured and non-Assured certificates. Life time of the client certs may change from www.cacert.org

• If you want to do email signing & ciphering tests, you can ask guillaume (at) cacert.org for example!

Details

• As part of the New Roots project we would like YOU! to test the next generation of CAcert root certificates.

• The cert chains are composed of:

  • the CAcert Root certificate + the CAcert Community Member subroot cert (formely known as class1)

  • the CAcert Root certificate + the CAcert Community Assured Member subroot cert (formely known as class3)

• The certificates are loaded on http://www.test1.cacert.at so feel free to register an account and create certificates.

• In case we need to modify the root certs, we will issue new ones and so you could test them again (please!).
• Please, the root/subroot names start with "TEST" (it will be removed for the real ceremony)

• We want to verify that the whole chain of root + subroot + client certs is working fine.

• The lifetime of the client certs may change from www.cacert.org system

Test Plan

Improve this...

• The signed certificates will be tested for acceptance by different browsers (Mozilla, Internet Explorer, Opera, Safari, etc.) and key managers.

Download the certificates

Here are the current root certificates :

• pkcs12 format test client certificate : password is "cacert", the root/subroot are included, you need to validate the root cert in the keystore first.

Contact

• Please report comments on the usual support lists as well as support (at) cacert.org and mention "Test System" in the title.
• You may find issues on the TEST system, please report the problems and mention it is about "TEST System", so we can fix them.
• You can put a comment in the "Comments" page below.

Code source for review

• Please if you feel skilled enough, you may help reviewing this part of the root cert Ceremony script
• How to run :
  • Step 1 : there is a genKeys.sh script to generate the root keys with OpenSSL in "keys" directory (optional).
  • Step 2 : the project is a Java Eclipse project. You have to run the org.cacert.ceremony.Ceremony class and fetch the certs in "signingengine", a sample pkcs12 file is provided for testing purpose. It includes the whole chain (CAcert Assured Members subroot). Look at readme.txt for some details.

• beta code here for CAcertCeremonyScript review Last update : Sat November 14th 2008

• TODO :
  • add a ANT script to automate genKeys.sh + org.cacert.ceremony.Ceremony

  • do some more testing : today only the CAcert Root certificate + the CAcert Community Assured Member subroot cert test has been automated.

  • writing down all the ceremony (text file!)
  • far much more comments in the code !
• please if you have a patch, send a copy to support (at) cacert.org, thanks !

Comments about the test systems

• The production system and the testsystem are completely seperated systems.
• The testsystem started with an empty database, so every account has to be freshly created.
• The testsystem does not know anything about the contents of the production database.
• The testsystem only has a copy of the country-region-location-database from the production system
• The automated data and software-transfer is always from the production system to the testsystem, never into the other direction.

• link for LostPassword https://www.test1.cacert.at/index.php?id=5

Points to discuss

• The passwords for the RSA keys are 32 bytes longs (256 bits), we set the value because the cipher is AES256. Is it the proper size ? => it seems correct.

• We need to generate a revocation files of the subroots. => to investigate further => tried to generate CRL but no reply so far

• We need to make sure we can do certificate login. background idea : how to configure it + is there any problem in case we keep the old Root cert for "class1" and audit the new "CAcert Assured Member" subroot
• Can OCSP current URL can handle both old Root cert issued certificates and the new Root/Subroot cert issued certs ?
• ... more

Random generators

• under testing :
  • /dev/random (keyboard + mouse)
  • /dev/random + turbid (sound card)
  • havege (randomness from cpu internals) but no /dev/hrandom possible on recent systems (or we could mix havege libs with randomsound lightweight project)
  • /dev/random + randomsound (sound card)

• some draft datas : DevRandomTest

Alternate technologies

• BouncyCastle

• JSS

User comments

On Wed, 2008-10-29 at 20:39 +0000, Tom Dawes-Gamble wrote:
> > Hi,
> > 
> > I have installed my first TEST certificate (unassured) on a web server. 
> > The server is.  https://wallis.weardale.cl/ This is how I have
> > configured apache.
> > 
> > Copied interrmCA.crt on to the server and set 
> > 
> > SSLCertificateChainFile /local/copy/of/intrmCA.crt
> > SSLCertificateFile      /my/unasured/signed/certificate.pem
> > SSLCertificateKeyFile   /my/private/key.pem
> > 
> > 
> > restart the server.

Hi,


I have now imported the TEST root Certificate and the Interim
Certificate in to Evolution and my signature now the Signature verifies.


Tom.

add a comment : Roots/TestNewRootCerts/Comments

• CategoryAudit

• CategoryNewRootsTaskForce