Workshop on 11/02/2020: Introduction to CAcert

Thanks to our excellent guest speaker Alex Robertson for coming in and giving this talk.

You can find details of what was covered in the main talk in the files below which were used for the presentation. Other than that, there was plenty of times for questions regarding the current state of the project as a whole and ways people can volunteer.

We had a good turn out of about 18 people which isn’t bad considering this wasn’t an official ATE (which is a CAcert training event). Also thanks to CAcert (see their blog post here), Hack:Keele and Internet Central (their tweet here) for publicising the event. We even had people travelling in from much further away areas too. Hopefully we can repeat this event in the next 6 to 12 months and as the number of people capable of assuring grows, we can expand on these numbers.

Most people brought along their own CAP forms ready to do assurances afterwards (although we have an absolutely massive stack of blank ones if anyone wants to do more in the future) and this went down very well. Especially as we had all just received the knowledge (or a refresh of the knowledge) on which IDs would be acceptable from people – who the majority remembered to bring!

The presentation files can be obtained below…

We also updated a CAcert leaflet (found from here originally) for the event and a copy of that can be found here…

The rest of this blog post was here even before the workshop had occurred.

Essentially it is a step by step set of instructions on how to get started with installing the root and intermediate certificates on your computer, creating an account, making a client certificate and finally taking the assurers challenge.

Thankfully in the workshop event itself, all of our computers were working with a new CAcert setup created for the event that allowed people to securely take the test if they wanted to and generate private keys from within the browser (by using an ESR version of Firefox that hasn’t yet taken away that ability).

Also if you get stuck following any of this then you can always talk to us using our usual contact details (such as chat rooms, mailing lists, etc…) about it. Additionally CAcert have various channels for help too.

Install CAcert’s root & intermediate certificates

The PC’s at the workshop will already have these installed, but if you want to use the CAcert website and maybe take the Assurer Challenge prior to arrival, you should also have them installed on your machine,

Dependant on your OS/browser there’s different ways of installing these as detailed on the CAcert wiki here and here. We’ve detailed a few likely scenarios below whilst assuming you’re running a modern OS/browser. If these instructions don’t work then see the CAcert wiki for more options.

It’s always a good idea to view any certificate you install to check the fingerprints match what you expected. This is so if they were tampered with while being acquired, you can spot it! You can find out more in the CAcert wiki as well.

Adding to Firefox (on any desktop OS)…

Browse to the following web page… http://www.cacert.org/index.php?id=3

Click ‘Root Certificate (PEM Format)’, tick ‘Trust this CA to identify web sites.’ and then OK. Finally click ‘Intermediate Certificate (PEM Format)’ and just click OK (no need to click Trust on that). For a step by step view see the gallery below…

Adding to Linux (e.g. Chrome and Opera)…

Whilst you could add these certificates system wide (and how you did that would differ vastly dependant on your distribution), it wouldn’t help accessing the CAcert website. That’s because Chrome, Opera and Firefox (see above if using Firefox) all use their own certificate stores if they’re running on Linux. So ultimately we’re just going to show you how to add them to Chromium-based (which Chrome and Opera are) browsers running on Linux.

Start by downloading the ‘Root Certificate’ and ‘Intermediate Certificate’ (both in PEM Format) from… http://www.cacert.org/index.php?id=3

Access your browsers settings and search for ‘Manage certificates’, then on the ‘Authorities’ tab first import the ‘root’ certificate and remember to tick ‘Trust this certificate for identifying websites’. Then afterwards import the ‘class3’ (intermediate) certificate (you don’t need to tick Trust for this). For a step by step view see the gallery below…

Adding to macOS (e.g. Safari, Chrome, Opera and Edge)…

Start by downloading the ‘Root Certificate’ and ‘Intermediate Certificate’ (both in PEM Format) from… http://www.cacert.org/index.php?id=3

Open the ‘root’ certificate first, pick ‘System’ when it asks for a keychain, confirm your normal macOS password and then finally mark it as trusted (see the screen shots below). Then open the ‘class3’ (intermediate) certificate and add it in the same way (no need to manually mark this as trusted). Your browser may need to be completely closed an reopened for it to have any effect. For a step by step view see the gallery below…

Adding to Windows (e.g. Edge, IE, Chrome and Opera)

Start by downloading the ‘Root Certificate’ and ‘Intermediate Certificate’ (both in PEM Format) from… http://www.cacert.org/index.php?id=3

Open the ‘root’ certificate first, then choose to install the certificate (it may prompt for permission) to the ‘Local Machine’ location under the ‘Trusted Root Certification Authorities’ store. Then repeat the process for the ‘class3’ (intermediate) certificate only this time you want the ‘Intermediate Certification Authorities’ store. For a step by step view see the gallery below…

Creating a CAcert account

Phew! Now that’s over with (we’ll be going in to why that is required for CAcert vs. other CA’s in the workshop!) head over to cacert.org to make a new account. This should be self explanatory, just make sure you put your proper full legal name (as shown on government ID) and an e-mail address you can access for verification. Here are few images showing the steps in case for some odd reason you get confused…

Creating a client certificate

You’ll need to create a client certificate to identify yourself to systems such as the one for the Assurers Challenge. This requires a private key and certificate signing request (CSR) to be generated. In the past web browsers could do this on the page itself but sadly this feature has been dropped. So we’ll use the OpenSSL utility to generate them instead.

Luckily macOS and Linux users will likely find this utility already installed, but not so for Windows users! They can instead follow someone else’s guide for getting a pre-built copy of OpenSSL (compiled by ‘Shining Light Productions’) installed on their system… please make sure you follow that last step regarding adding it to your path!

Open a Terminal (or ‘Command Prompt’ for you Windows users) and change to the directory where your web browser downloads files to (e.g. your ‘Downloads’ directory). Then run the following command…
DON’T CLOSE your Terminal/Command Prompt when you’re done.

openssl req -nodes -newkey rsa:2048 -sha256 -keyout client.key -out client.csr -subj "/"

Open your favourite text editor (e.g. Gedit, Kate, Pluma, Notepad, TextEdit, etc…) and open the file ‘client.csr’ which you just created.

Leave that open and now using your web browser go to cacert.org and login using the ‘Password Login’ on the right hand side, then under ‘Client Certificates’ pick ‘New’.

Tick your e-mail address (if you’ve already earned enough points to be assured, you’ll find you can also add your full name too… this allows you to print a certificate off for the Assurer Test – but it’s mostly vanity) and also tick ‘Show advanced options’ so that we can copy & paste the CSR from our text editor into the area called ‘Optional Client CSR’.

Finally accept the ‘CACert Community Agreement’ and press ‘Next’ (BE PATIENT! the next page will load but it’ll take a while!). Finally click ‘Download the certificate in PEM format’ and rename the file that downloads to simply be named ‘client.crt’.

Finally we need to import your client private key and certificate into your OS/browser. The best way to do this is merge them into a single PKCS #12 formatted file first. Back on your Terminal (or Command Prompt) run the below, it’ll ask you for a password (choose wisely and remember it) which you’ll need when importing it later into your OS/Browser…

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt

Once this is created you should keep a copy of this new ‘client.pfx’ file in a safe place and you can delete (checking things like Trash/Bin/Recycle Bin) any files like ‘client.crt’ and ‘client.key’ which were used in its creation.

Importing into Firefox (on any desktop OS)…

Go to Preferences and find the button for ‘View Certificates…’. Under the ‘Your Certificates’ tab use ‘Import…’ select ‘client.pfx’ and enter your secret password. It’s that simple, but here’s some nice pictures just in case…

Importing into Linux (e.g. Chrome and Opera)…

As mentioned before with the root and intermediate certificates, this essentially just covers Chromium based browsers running on Linux (as Firefox is covered above and Linux has no common certificate store).

In your Settings go to ‘Manage certificates’ then under the tab ‘Your certificates’ use the ‘Import’ button, select ‘client.pfx’ and enter your secret password. As ever, here are some handy images to show the steps…

Importing into macOS (e.g. Safari, Chrome, Opera and Edge)…

Just open the ‘client.pfx’ file from your Downloads directory, it’ll prompt you for your normal macOS user password and then afterwards ask for your secret password. At this point it’ll be installed and you can close the ‘Keychain Access’ program, you may need to completely close and re-open your web browser for it to work too. Here are some screen shots…

Importing into Windows (e.g. Edge, IE, Chrome and Opera)

Open the ‘client.pfx’ file from your Downloads folder and follow the default options of installing it for the current user & automatically select the store, just provide your secret password. Screen shots below…

Take the Assurer’s Challenge!

Basically head on over to cats.cacert.org using whichever OS and browser you’ve properly got your root, intermediate and personal client certificate and key installed into. Click ‘Login’ and it should confirm your details. If you included your full name in your client certificate it should show here, otherwise it’ll just be your e-mail address… click ‘Yes’ if it all looks good at the bottom.

You may find this particular part of the CAcert wiki handy when taking the test! http://wiki.cacert.org/AssuranceHandbook2

To start the test click ‘Tests’ on the top and then on the right you’ll see ‘Assurer’s challenge (EN)’ and ‘start test’.