• Software
• HowToInstallSource

How do I install the CAcert source?

Quick and dirty

Developers looking into playing with the source code can follow this guide on how to install the source (please also add stuff you find to this guide!)

Also, you have to realize that you are entering unknown land here, so if something does not work, try to find it out yourself or ask on IRC...

1. first download the source from [https://www.cacert.org/src-lic.php]

2. Extract it to some directory
3. Set up an apache virtual host for this (cacert-dev.example.org)
4. Point the document root to `path-to-source/www'

5. Enable AllowOverride All on the directory so the .htaccess is able to override the settings

6. Change the path to the general.php in the .htaccess file
7. Change the path to the source-root in include/general.php
8. Copy include/mysql.php.sample to include/mysql.php
9. Create a database for cacert, a seperate user
10. fill the database using cacert.sql
11. Change mysql.php at the top so cacert finds the path, change the vhost for the ssl and non-ssl hosts

Paths

Create the following dirs in your cacert-path:

• etc/ssl/
• crt/
• csr/

Make sure that crt/ and csr/ and read & writeable by your web-user.

Change the paths to your cacert-installation in scripts/*.c and run "make" afterwards to create the wrappers. I guess that the wrappers would be running setuid some-user (root?) in order to have access to the CA files, so the webserver does not need to have access to those. I decided to leave that for my test-installation.

Create your own CA

In order to fully test your installation you need to be able to create & sign & so on. For that you need your own CA. Change to your cacert path und run "CA.sh" that's been delivered together with openssl (on debian it was in /usr/lib/ssl/misc/). Fill in the values with sensible values und choose a passphrase. It seems that the devel scripts have the passphrase "test", so it may be the easiest to set it to the same value.

Create the config files for the actions

Every action (sign email, sign orgemail, ...) has it's own config file in etc/ssl/. I copied my /usr/lib/ssl/openssl.cnf file to the target file, changed the path to my cacert-path ($path/demoCA/) and set the following values:

etc/ssl/openssl-client.cnf

• [ policy_match ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ usr_cert ] nsCertType = client, email