SystemAdministration/CertificateList

Purpose

This wiki page is used to maintain a complete list of CAcert's service-related certificates with all required details for keeping them up-to-date.

Most of CAcert's services are running over HTTPS secured by a CAcert-issued certificate. It is important that these certificates are renewed in a timely fashion to avoid issues with services failing due to expired certificates. In general the certificate owner is responsible for timely renewal and re-installation of the certificate, however in some cases the owner may not be available or aware of a problem. Therefore it is useful to collect the information about all of CAcert's current service-related certificates in one place, allowing other system administrators to act as a backup if necessary.

Certificate List

Procedures and organisation administrators page is SystemAdministration/Procedures/CertificateIssuing

www.cacert.org

CN	www.cacert.org
Owner	critical-admin@cacert.org
Altnames	DNS:www.cacert.org, DNS:secure.cacert.org, DNS:wwwmail.cacert.org, DNS:cacert.org, DNS:www.cacert.net, DNS:cacert.net, DNS:www.cacert.com, DNS:cacert.com
Expiration date	May 6 18:46:41 2014 GMT
Key and cert kept at	www.cacert.org:/home/cacert/etc/ssl/certs/cacert.crt
Other info

email.cacert.org

CN	email.cacert.org
Owner	as per system documentation
Altnames	(none)
Expiration date	May 6 12:08:16 2014 GMT
cert kept at	email:/etc/ssl/certs/ssl-cert-email-cacert.pem
key kept at	email:/etc/ssl/private/ssl-cert-email-cacert.key
Other info	SN 766837 (0xbb375)

CN	email.cacert.org
SN	5f22d
Owner	?
Altnames	(none)
Expiration date	Nov 11 10:46:28 2012 GMT
cert kept at	?
key kept at	(Tunix)
Other info	probe - `openssl s_client -connect email.cacert.org:25 -starttls smtp \| openssl x509 -text -noout`

lists.cacert.org

CN	lists.cacert.org
Owner	as per system documentation
Altnames	DNS:lists.cacert.org, DNS:cert.lists.cacert.org, DNS:nocert.lists.cacert.org
Expiration date	Mar 1 10:41:03 2014 GMT
cert kept at	lists:/etc/ssl/certs/ssl-cert-lists-cacert-multialtname.pem
key kept at	lists:/etc/ssl/private/ssl-cert-lists-cacert-multialtname.pem
Other info	referenced by apache and postfix

community.cacert.org

CN	CN=community.cacert.org
Owner	(as per system documentation for community (webmail) and email)
Altnames	DNS:community.cacert.org, DNS:nocert.community.cacert.org, DNS:cert.community.cacert.org
Expiration date	May 18 10:54:18 2014 GMT
cert kept at	community:/etc/ssl/certs/ssl-cert-community-cacert.crt (https)
key kept at	community:/etc/ssl/private/ssl-cert-community-cacert.key (https)
cert kept at	email:/etc/ssl/certs/ssl-cert-community-cacert.pem (imap/pop3/managesieve)
key kept at	email:/etc/ssl/private/ssl-cert-community-cacert.key (imap/pop3/managesieve)
Other info

bugs.cacert.org

CN	CN=bugs.cacert.org
Owner	bugs-admin@cacert.org
Altnames	DNS:bugs.cacert.org, DNS:cert.bugs.cacert.org, DNS:nocert.bugs.cacert.org
Expiration date	May 8 16:28:04 2014 GMT
Key and cert kept at	bugs:/etc/ssl/bugs.pem /etc/ssl/private/bugs2010.key
Serial Number	767533 (0xbb62d)
Other info

board.cacert.org

CN	board.cacert.org
Owner	Mario Lipinski
Altnames	board.cacert.org cod.cacert.org
Expiration date	2013-04-29 11:32:09 GMT
Cert kept at	board:/etc/ssl/certs/board.crt
Key kept at	board:/etc/ssl/private/board.key
Serial Number	0A:28:1E

irc.cacert.org

CN	CN=irc.cacert.org
Owner	irc-admin@cacert.org
Altnames	DNS:irc.cacert.org, DNS:nocert.irc.cacert.org, DNS:cert.irc.cacert.org
Expiration date	May 9 13:35:28 2014 GMT
Key and cert kept at	/root/irc2010.pem /root/irc2010_privatekey.pem
Other info	Serial Number: 767775 (0xbb71f)

blog.cacert.org

CN	CN=blog.cacert.org
SN	683058
Owner	as per system documentation
Altnames	none
Expiration date	Jul 2 14:50:45 2013 GMT
Key and cert kept at	blog:/etc/ssl/certs/ssl-cert-blog-cacert.pem

wiki.cacert.org

CN	CN=wiki.cacert.org
Owner	as per system documentation
Altnames	none
Expiration date	Jul 2 14:50:45 2013 GMT
Key and cert kept at	wiki:/etc/ssl/{certs/wiki.cacert.org.pem,private/wiki.cacert.org.key}

crl.cacert.org

CN	CN=crl.cacert.org/emailAddress=support@cacert.org
Owner	?
Altnames	none
Expiration date	May 2 16:42:08 2013 GMT
Key and cert kept at	?
Other info	This cert must also be sent to Tunix as /certs/crl.cacert.org.pem

ocsp.cacert.org

CN	CN=ocsp.cacert.org/emailAddress=support@cacert.org
SN	662213 (0xa1ac5)
Owner	critical-admin@cacert.org
Altnames	none
Expiration date	Apr 17 22:14:34 2013 GMT
Key and cert kept at	tunix
Other info	This is the HTTPS certificate - no OCSP signing extension
	This cert must also be sent to Tunix as /certs/ocsp.cacert.org.pem

CN	ocsp.cacert.org
SN	695283 (0xa9bf3)
Owner	critical-admin@cacert.org
Altnames	none
Expiration date	Aug 22 00:02:56 2013 GMT
Key and cert kept at	ocsp:/usr/local/ocsp/certs/class1.crt
Other info	class1 issued with X509v3 Extended Key Usage: OCSP Signing

CN	ocsp.cacert.org
SN	56486 (0xdca6)
Owner	critical-admin@cacert.org
Altnames	none
Expiration date	Aug 22 00:08:37 2013 GMT
Key and cert kept at	ocsp:/usr/local/ocsp/certs/class3-1.crt
Other info	class3 issued with X509v3 Extended Key Usage: OCSP Signing

Note: generating a CSR with OCSP Signing flag set can be done with an openssl config file like this:

[ req ]
distinguished_name      = req_distinguished_name
prompt                  = no
req_extensions          = ocsp_req

[ req_distinguished_name ]
countryName             = AU
stateOrProvinceName     = NSW
localityName            = Sydney
0.organizationName      = CAcert Inc.
organizationalUnitName  = Server Administration
commonName              = ocsp.cacert.org
emailAddress            = critical-admin@cacert.org

[ ocsp_req ]
basicConstraints=CA:FALSE
extendedKeyUsage=1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.9

To sign such a CSR while retaining the OCSP Signing flag in the generated certificate, there is some dark magic involved: you have to have the admin flag set and check a box deep down on the second page of the new cert process.

svn.cacert.org

CN	CN=svn.cacert.org
Owner	svn-admin@cacert.org as per system documentation
Altnames	DNS:svn.cacert.org, DNS:cert.svn.cacert.org, DNS:nocert.svn.cacert.org
Expiration date	May 4 00:29:29 2014 GMT
Key and cert kept at	svn:/root/svn2010.pem svn:/root/svn2010_privatekey.pem
Serial Number	766286 (0xbb14e)
Other info

issue.cacert.org

CN	CN=issue.cacert.org
Owner	as per system documentation
Altnames	none
Expiration date	May 14 20:21:51 2013 GMT
Key and cert kept at	issue:/etc/ssl/{certs/issue.cacert.org.pem,private/issue.cacert.org.key}

cats.cacert.org

CN	cats.cacert.org
Owner	EducationOfficer, currently BernhardFröhlich
Altnames	None
Expiration date	May 4 00:38:57 2014 GMT
Key and cert kept at	cats:/home/cats/ssl/private/cats_privatekey.pem and cats:/home/cats/ssl/certs/cats_cert.pem
Serial Number	766288 (0xbb150)
Other info

monitor.cacert.org

CN	monitor.cacert.org
Owner	MichaelTänzer
Altnames	DNS:monitor.cacert.org, DNS:monitor.intra.cacert.org, DNS:.monitor.cacert.org, DNS:.monitor.intra.cacert.org
Expiration date	Jul 4 00:02:47 2013 GMT
Key and cert kept at	/etc/ssl/private/monitor.c.o.priv /etc/ssl/certs/monitor.c.o.pem
Other info

community-vpn.cacert.org

CN	community-vpn.cacert.org
Owner	DominikGeorge
Altnames	None
Expiration date	Aug 26 13:44:49 2013 GMT
Key and cert kept at	?
Other info

translations.cacert.org

CN	translations.cacert.org
Owner	MichaelTänzer
Altnames	DNS:translations.cacert.org, DNS:l10n.cacert.org
Expiration date	Oct 16 18:27:31 2013 GMT
Key and cert kept at	/etc/ssl/private/translations.c.o.priv /etc/ssl/certs/translations.c.o.pem
Other info

Comments

CategorySystems

SystemAdministration/CertificateList (last edited 2012-05-18 11:01:10 by MichaelTänzer)