Welcome to New Root Certificate Task Force
Announcement
We are pleased to announce that we have set-up the CAcert test systems with samples of CAcert new root certificate model.
We need volunteers to create client/server certificates and put them on test webservers or send signed emails.
So we can get some feed back and make some changes before we do the real ceremony of issuing the new CAcert root certificates that are likely to be included in Mozilla Firefox / Thunderbird.
Procedure
The test1.cacert.at system is TEST only and completely separate from the main www.cacert.org, so you need to create new accounts and add domains & emails.
Please create 2 accounts and ask support (at) cacert.org to add trust points in one of your CAcert TEST accounts. So, with 2 accounts, you can create both Assured and non-Assured certificates. Life time of the client certs may change from www.cacert.org
If you want to do email signing & ciphering tests, you can ask guillaume (at) cacert.org for example!
Details
As part of the New Roots project we would like YOU! to test the next generation of CAcert root certificates.
- The cert chains are composed of:
the CAcert Root certificate + the CAcert Community Member subroot cert (formely known as class1)
the CAcert Root certificate + the CAcert Community Assured Member subroot cert (formely known as class3)
The certificates are loaded on http://www.test1.cacert.at so feel free to register an account and create certificates.
- In case we need to modify the root certs, we will issue new ones and so you could test them again (please!).
- Please, the root/subroot names start with "TEST" (it will be removed for the real ceremony)
We want to verify that the whole chain of root + subroot + client certs is working fine.
- The lifetime of the client certs may change from www.cacert.org system
Certificate update |
cert issuing date |
still in use on test1 |
root + Community Member subroot + Community Assured Member subroot |
Oct 25th 2008 |
no |
root + Community Member subroot + Community Assured Member subroot |
Oct 26th 2008 |
yes |
Test Plan
Improve this...
- The signed certificates will be tested for acceptance by different browsers (Mozilla, Internet Explorer, Opera, Safari, etc.) and key managers.
Download the certificates
Here are the current root certificates :
Certificate |
download into browser |
read the details |
Root certificate |
||
Community Member subroot |
||
Community Assured Member subroot |
pkcs12 format test client certificate : password is "cacert", the root/subroot are included, you need to validate the root cert in the keystore first.
Contact
- Please report comments on the usual support lists as well as support (at) cacert.org and mention "Test System" in the title.
- You may find issues on the TEST system, please report the problems and mention it is about "TEST System", so we can fix them.
- You can put a comment in the "Comments" page below.
Code source for review
- Please if you feel skilled enough, you may help reviewing this part of the root cert Ceremony script
- How to run :
- Step 1 : there is a genKeys.sh script to generate the root keys with OpenSSL in "keys" directory (optional).
- Step 2 : the project is a Java Eclipse project. You have to run the org.cacert.ceremony.Ceremony class and fetch the certs in "signingengine", a sample pkcs12 file is provided for testing purpose. It includes the whole chain (CAcert Assured Members subroot). Look at readme.txt for some details.
beta code here for CAcertCeremonyScript review Last update : Sat November 14th 2008
- TODO :
- add a ANT script to automate genKeys.sh + org.cacert.ceremony.Ceremony
do some more testing : today only the CAcert Root certificate + the CAcert Community Assured Member subroot cert test has been automated.
- writing down all the ceremony (text file!)
- far much more comments in the code !
- please if you have a patch, send a copy to support (at) cacert.org, thanks !
Comments about the test systems
- The production system and the testsystem are completely seperated systems.
- The testsystem started with an empty database, so every account has to be freshly created.
- The testsystem does not know anything about the contents of the production database.
- The testsystem only has a copy of the country-region-location-database from the production system
- The automated data and software-transfer is always from the production system to the testsystem, never into the other direction.
link for LostPassword https://www.test1.cacert.at/index.php?id=5
Points to discuss
The passwords for the RSA keys are 32 bytes longs (256 bits), we set the value because the cipher is AES256. Is it the proper size ? => it seems correct.
We need to generate a revocation files of the subroots. => to investigate further => tried to generate CRL but no reply so far
- We need to make sure we can do certificate login. background idea : how to configure it + is there any problem in case we keep the old Root cert for "class1" and audit the new "CAcert Assured Member" subroot
- Can OCSP current URL can handle both old Root cert issued certificates and the new Root/Subroot cert issued certs ?
- ... more
Random generators
- under testing :
- /dev/random (keyboard + mouse)
- /dev/random + turbid (sound card)
- havege (randomness from cpu internals) but no /dev/hrandom possible on recent systems (or we could mix havege libs with randomsound lightweight project)
- /dev/random + randomsound (sound card)
some draft datas : DevRandomTest
Alternate technologies
User comments
Contributors (listing is out-of-order, feel free to add your name) :
- Tom Dawes-Gamble,
- Alejandro Mery,
- Norman H. Azadian,
- Morten Gulbrandsen,
- The readers for the CAcert mailing lists,
And the CAcert Root Key Task Force Ian Grigg, Teus Hagen, Philipp "Sourcerer" Gühring & Mr Rogmany aka GolfRomeo
Comments :
On Wed, 2008-10-29 at 20:39 +0000, Tom Dawes-Gamble wrote: > > Hi, > > > > I have installed my first TEST certificate (unassured) on a web server. > > The server is. https://wallis.weardale.cl/ This is how I have > > configured apache. > > > > Copied interrmCA.crt on to the server and set > > > > SSLCertificateChainFile /local/copy/of/intrmCA.crt > > SSLCertificateFile /my/unasured/signed/certificate.pem > > SSLCertificateKeyFile /my/private/key.pem > > > > > > restart the server.
Hi, I have now imported the TEST root Certificate and the Interim Certificate in to Evolution and my signature now the Signature verifies. Tom.
add a comment : Roots/TestNewRootCerts/Comments