Workshop on 11/02/2020: Introduction to CAcert

This workshop hasn’t yet taken place, but this page contains useful information for people wishing to prepare for the workshop before it happens. This post will be updated when the workshop has concluded.

Also if you get stuck following any of this then you can always talk to us using our usual contact details (such as chat rooms, mailing lists, etc…) about it. Additionally CAcert have various channels for help also.

Install CAcert’s root & intermediate certificates

The PC’s at the workshop will already have these installed, but if you want to use the CAcert website and maybe take the Assurer Challenge prior to arrival, you should also have them installed on your machine,

Dependant on your OS/browser there’s different ways of installing these as detailed on the CAcert wiki here and here. We’ve detailed a few likely scenarios below whilst assuming you’re running a modern OS/browser. If these instructions don’t work then see the CAcert wiki for more options.

It’s always a good idea to view any certificate you install to check the fingerprints match what you expected. This is so if they were tampered with while being acquired, you can spot it! You can find out more in the CAcert wiki as well.

Adding to Firefox (on any desktop OS)…

Browse to the following web page… http://www.cacert.org/index.php?id=3

Click ‘Root Certificate (PEM Format)’, tick ‘Trust this CA to identify web sites.’ and then OK. Finally click ‘Intermediate Certificate (PEM Format)’ and just click OK (no need to click Trust on that). For a step by step view see the gallery below…

Adding to Linux (e.g. Chrome and Opera)…

Whilst you could add these certificates system wide (and how you did that would differ vastly dependant on your distribution), it wouldn’t help accessing the CAcert website. That’s because Chrome, Opera and Firefox (see above if using Firefox) all use their own certificate stores if they’re running on Linux. So ultimately we’re just going to show you how to add them to Chromium-based (which Chrome and Opera are) browsers running on Linux.

Start by downloading the ‘Root Certificate’ and ‘Intermediate Certificate’ (both in PEM Format) from… http://www.cacert.org/index.php?id=3

Access your browsers settings and search for ‘Manage certificates’, then on the ‘Authorities’ tab first import the ‘root’ certificate and remember to tick ‘Trust this certificate for identifying websites’. Then afterwards import the ‘class3’ (intermediate) certificate (you don’t need to tick Trust for this). For a step by step view see the gallery below…

Adding to macOS (e.g. Safari, Chrome, Opera and Edge)…

Start by downloading the ‘Root Certificate’ and ‘Intermediate Certificate’ (both in PEM Format) from… http://www.cacert.org/index.php?id=3

Open the ‘root’ certificate first, pick ‘System’ when it asks for a keychain, confirm your normal macOS password and then finally mark it as trusted (see the screen shots below). Then open the ‘class3’ (intermediate) certificate and add it in the same way (no need to manually mark this as trusted). Your browser may need to be completely closed an reopened for it to have any effect. For a step by step view see the gallery below…

Adding to Windows (e.g. Edge, IE, Chrome and Opera)

Start by downloading the ‘Root Certificate’ and ‘Intermediate Certificate’ (both in PEM Format) from… http://www.cacert.org/index.php?id=3

Open the ‘root’ certificate first, then choose to install the certificate (it may prompt for permission) to the ‘Local Machine’ location under the ‘Trusted Root Certification Authorities’ store. Then repeat the process for the ‘class3’ (intermediate) certificate only this time you want the ‘Intermediate Certification Authorities’ store. For a step by step view see the gallery below…

Creating a CAcert account

Phew! Now that’s over with (we’ll be going in to why that is required for CAcert vs. other CA’s in the workshop!) head over to cacert.org to make a new account. This should be self explanatory, just make sure you put your proper full legal name (as shown on government ID) and an e-mail address you can access for verification. Here are few images showing the steps in case for some odd reason you get confused…

Creating a client certificate

You’ll need to create a client certificate to identify yourself to systems such as the one for the Assurers Challenge. This requires a private key and certificate signing request (CSR) to be generated. In the past web browsers could do this on the page itself but sadly this feature has been dropped. So we’ll use the OpenSSL utility to generate them instead.

Luckily macOS and Linux users will likely find this utility already installed, but not so for Windows users! They can instead follow someone else’s guide for getting a pre-built copy of OpenSSL (compiled by ‘Shining Light Productions’) installed on their system… please make sure you follow that last step regarding adding it to your path!

Open a Terminal (or ‘Command Prompt’ for you Windows users) and change to the directory where your web browser downloads files to (e.g. your ‘Downloads’ directory). Then run the following command…
DON’T CLOSE your Terminal/Command Prompt when you’re done.

openssl req -nodes -newkey rsa:2048 -sha256 -keyout client.key -out client.csr -subj "/"

Open your favourite text editor (e.g. Gedit, Kate, Pluma, Notepad, TextEdit, etc…) and open the file ‘client.csr’ which you just created.

Leave that open and now using your web browser go to cacert.org and login using the ‘Password Login’ on the right hand side, then under ‘Client Certificates’ pick ‘New’.

Tick your e-mail address (if you’ve already earned enough points to be assured, you’ll find you can also add your full name too… this allows you to print a certificate off for the Assurer Test – but it’s mostly vanity) and also tick ‘Show advanced options’ so that we can copy & paste the CSR from our text editor into the area called ‘Optional Client CSR’.

Finally accept the ‘CACert Community Agreement’ and press ‘Next’ (BE PATIENT! the next page will load but it’ll take a while!). Finally click ‘Download the certificate in PEM format’ and rename the file that downloads to simply be named ‘client.crt’.

Finally we need to import your client private key and certificate into your OS/browser. The best way to do this is merge them into a single PKCS #12 formatted file first. Back on your Terminal (or Command Prompt) run the below, it’ll ask you for a password (choose wisely and remember it) which you’ll need when importing it later into your OS/Browser…

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt

Once this is created you should keep a copy of this new ‘client.pfx’ file in a safe place and you can delete (checking things like Trash/Bin/Recycle Bin) any files like ‘client.crt’ and ‘client.key’ which were used in its creation.

Importing into Firefox (on any desktop OS)…

Go to Preferences and find the button for ‘View Certificates…’. Under the ‘Your Certificates’ tab use ‘Import…’ select ‘client.pfx’ and enter your secret password. It’s that simple, but here’s some nice pictures just in case…

Importing into Linux (e.g. Chrome and Opera)…

As mentioned before with the root and intermediate certificates, this essentially just covers Chromium based browsers running on Linux (as Firefox is covered above and Linux has no common certificate store).

In your Settings go to ‘Manage certificates’ then under the tab ‘Your certificates’ use the ‘Import’ button, select ‘client.pfx’ and enter your secret password. As ever, here are some handy images to show the steps…

Importing into macOS (e.g. Safari, Chrome, Opera and Edge)…

Just open the ‘client.pfx’ file from your Downloads directory, it’ll prompt you for your normal macOS user password and then afterwards ask for your secret password. At this point it’ll be installed and you can close the ‘Keychain Access’ program, you may need to completely close and re-open your web browser for it to work too. Here are some screen shots…

Importing into Windows (e.g. Edge, IE, Chrome and Opera)

Open the ‘client.pfx’ file from your Downloads folder and follow the default options of installing it for the current user & automatically select the store, just provide your secret password. Screen shots below…

Take the Assurer’s Challenge!

Basically head on over to cats.cacert.org using whichever OS and browser you’ve properly got your root, intermediate and personal client certificate and key installed into. Click ‘Login’ and it should confirm your details. If you included your full name in your client certificate it should show here, otherwise it’ll just be your e-mail address… click ‘Yes’ if it all looks good at the bottom.

You may find this particular part of the CAcert wiki handy when taking the test! http://wiki.cacert.org/AssuranceHandbook2

To start the test click ‘Tests’ on the top and then on the right you’ll see ‘Assurer’s challenge (EN)’ and ‘start test’.

Workshop on 14/01/2020: Introduction to OpenStreetMap

So this workshop was to cover the basics of what the OpenStreetMap project is all about, how the data is gathered (and is licensed) and it’s aims. Also covered during the workshop was…

  • How OSM covers the entire world, stats were given for the number of contributors worldwide.
  • History of the project, how it came to be and the previous challenges around proprietary mapping systems.
  • What ‘trap streets’ were, fictitious streets on proprietary mapping systems used to catch out copyright violators.
  • The humanitarian benefits of OSM in events such as the Haiti Earthquakes in 2010, where there was no adequate map information in existence already.
  • Detail around the data formats, nodes, ways, areas and relations.
  • The possibilities for custom tagging, layering, representing multiple storeys etc…
  • Briefly talked about how the OSM engine could be used to represent fictitious places (e.g. Mordor, J. R. R. Tolkien’s fictional world of Middle-earth)
  • Talked about the features Google has (history, timeline, 3D buildings etc…) that would be good to implement into OSM.
  • Discussed the pros and cons of the various mapping tools with the conclusion that OSM has the biggest advantage of being co-operative and has “many eyes” looking to spot mistakes and inconsistencies.
  • Lastly a demo of how to edit, and discussed the different editors available to use.

Here’s a gallery showing off some of the things looked at during the presentation…

In terms of the main presentation, this was HTML based slides which you can find in the ZIP file below. Just extract the ‘osm_presentation_webpages’ directory from the ZIP and then open ‘index.html’. Your default web browser should take care of the rest without needing the Internet.

During the lab exercises some sample OSM and GPX formatted data was used and looked at, these can be found in this ZIP below…

As for the growth of OpenStreetMap, Iain prepared this handy table…


Year
UsersNodes
20051000
20063000
200710000
200825000250
2009100000500
2010200000750
20115000001000
20127500001350
201310000002000
201414000002500
201520000002700
201628000003250
201742000003750
201850000004500
201956000005200

As of when the presentation was given (14th January 2020) there are…

  • Number of users: 5,968,421
  • Number of uploaded GPS points: 7,637,593,413
  • Number of nodes: 5,699,926,279
  • Number of ways: 632,110,826
  • Number of relations: 7,415,306

At the end a flyer was handed out with further information, you can find the original source of this at this link on GitHub, however we’ve provided copies from there in PDF format below too…

Finally these are the rough notes that our presenter Iain used during the meeting, these could be handy if you’re trying to remember the order things were covered. Any images referenced in these notes can be found in the ‘osm_presentation_webpages.zip’ ZIP file (in the ‘src’ directory) above…

A tale of an old subscriber list

So if you’re on this page it’s very likely because you clicked a link to it in an e-mail we’ve just sent you!

That e-mail was sent January 2020 and is basically just a reworded version of an e-mail originally sent back in August 2019 reminding people that the LUG has relaunched.

The short version…

Image result for sorry cake

We’re sorry if you’ve got an e-mail from us a second time!

Our main reason for sending another e-mail was because we’d randomly stumbled upon an old file with the e-mail addresses of older subscribers who we think we’ve likely forgot to tell about our relaunch. It’d always been meant to be a one-off e-mail and we won’t be doing it again… that file is also now gone.

For a better explanation (and how we’re protecting your personal information) you’ll need the longer version below…

Oh and we also threw in about 4 or 5 extra e-mail addresses in… who were already on the general@ mailing list but not on meetings@, just in case you’d forgotten we have both!

The longer version 🙂

Image result for lord of the rings hobbit

When we relaunched back in August we sent an e-mail out to everyone who was still on the older (Mailman 2.1 based) mailing list of “staffslug@staffslug.org.uk” (which has since been retired and archived).

Basically it just said that we were finally back and how you could re-subscribe yourself manually (either by sending an e-mail or using the web interface) to the new Mailman 3 based mailing lists.

This had a few issues…

  • Many of you just wanted a button to push which would do it for you.
  • The list of people on the old mailing list had dwindled a lot (from 150 to about 70) presumably during the LUGs dormant phase!
  • All the e-mails were sent using BCC, which I imagine got some of the e-mails trapped in spam filters.

We only know it was about 150 as an old e-mail with minutes from a meeting in 2013 (yes, even back then a bunch of us were trying to restart things!) shows the old LUGMaster stating that figure.

Anyway, after the e-mail in August was sent… we deleted the sent copy of the e-mail (with all the BCC’s) so that we weren’t retaining those addresses.

However over the last few years… files have been accumulating from past attempts to move the mailing lists over. In a recent tidy up we’ve spotted an old CSV format file with e-mail addresses of those who we’re guessing have either subscribed to an older mailing list before or used one in some way.

Dusting this off a bit… we’ve removed from that that list anyone who is already subscribed or we remember e-mailing/telling back in August (although it’s a lot of e-mail addresses, sorry if our memory isn’t great!).

Suffice to say this latest reminder e-mail is based on what was left… sorry if you got one in August as well!

This time we’ve sent it using an excellent “Mail Merge” add-on for Thunderbird (and not using BCC) which accepts CSV files! It also includes handy buttons for resubscribing… which connect to a little script we’ve made to automate the job!

The file we’ve discovered has since been deleted and additionally (just like with the BCC e-mail from before) copies of the e-mails sent have gone too.

Hope this all makes sense!