Workshop on 11/02/2020: Introduction to CAcert

This workshop hasn’t yet taken place, but this page contains useful information for people wishing to prepare for the workshop before it happens. This post will be updated when the workshop has concluded.

Also if you get stuck following any of this then you can always talk to us using our usual contact details (such as chat rooms, mailing lists, etc…) about it. Additionally CAcert have various channels for help also.

Install CAcert’s root & intermediate certificates

The PC’s at the workshop will already have these installed, but if you want to use the CAcert website and maybe take the Assurer Challenge prior to arrival, you should also have them installed on your machine,

Dependant on your OS/browser there’s different ways of installing these as detailed on the CAcert wiki here and here. We’ve detailed a few likely scenarios below whilst assuming you’re running a modern OS/browser. If these instructions don’t work then see the CAcert wiki for more options.

It’s always a good idea to view any certificate you install to check the fingerprints match what you expected. This is so if they were tampered with while being acquired, you can spot it! You can find out more in the CAcert wiki as well.

Adding to Firefox (on any desktop OS)…

Browse to the following web page… http://www.cacert.org/index.php?id=3

Click ‘Root Certificate (PEM Format)’, tick ‘Trust this CA to identify web sites.’ and then OK. Finally click ‘Intermediate Certificate (PEM Format)’ and just click OK (no need to click Trust on that). For a step by step view see the gallery below…

Adding to Linux (e.g. Chrome and Opera)…

Whilst you could add these certificates system wide (and how you did that would differ vastly dependant on your distribution), it wouldn’t help accessing the CAcert website. That’s because Chrome, Opera and Firefox (see above if using Firefox) all use their own certificate stores if they’re running on Linux. So ultimately we’re just going to show you how to add them to Chromium-based (which Chrome and Opera are) browsers running on Linux.

Start by downloading the ‘Root Certificate’ and ‘Intermediate Certificate’ (both in PEM Format) from… http://www.cacert.org/index.php?id=3

Access your browsers settings and search for ‘Manage certificates’, then on the ‘Authorities’ tab first import the ‘root’ certificate and remember to tick ‘Trust this certificate for identifying websites’. Then afterwards import the ‘class3’ (intermediate) certificate (you don’t need to tick Trust for this). For a step by step view see the gallery below…

Adding to macOS (e.g. Safari, Chrome, Opera and Edge)…

Start by downloading the ‘Root Certificate’ and ‘Intermediate Certificate’ (both in PEM Format) from… http://www.cacert.org/index.php?id=3

Open the ‘root’ certificate first, pick ‘System’ when it asks for a keychain, confirm your normal macOS password and then finally mark it as trusted (see the screen shots below). Then open the ‘class3’ (intermediate) certificate and add it in the same way (no need to manually mark this as trusted). Your browser may need to be completely closed an reopened for it to have any effect. For a step by step view see the gallery below…

Adding to Windows (e.g. Edge, IE, Chrome and Opera)

Start by downloading the ‘Root Certificate’ and ‘Intermediate Certificate’ (both in PEM Format) from… http://www.cacert.org/index.php?id=3

Open the ‘root’ certificate first, then choose to install the certificate (it may prompt for permission) to the ‘Local Machine’ location under the ‘Trusted Root Certification Authorities’ store. Then repeat the process for the ‘class3’ (intermediate) certificate only this time you want the ‘Intermediate Certification Authorities’ store. For a step by step view see the gallery below…

Creating a CAcert account

Phew! Now that’s over with (we’ll be going in to why that is required for CAcert vs. other CA’s in the workshop!) head over to cacert.org to make a new account. This should be self explanatory, just make sure you put your proper full legal name (as shown on government ID) and an e-mail address you can access for verification. Here are few images showing the steps in case for some odd reason you get confused…

Creating a client certificate

You’ll need to create a client certificate to identify yourself to systems such as the one for the Assurers Challenge. This requires a private key and certificate signing request (CSR) to be generated. In the past web browsers could do this on the page itself but sadly this feature has been dropped. So we’ll use the OpenSSL utility to generate them instead.

Luckily macOS and Linux users will likely find this utility already installed, but not so for Windows users! They can instead follow someone else’s guide for getting a pre-built copy of OpenSSL (compiled by ‘Shining Light Productions’) installed on their system… please make sure you follow that last step regarding adding it to your path!

Open a Terminal (or ‘Command Prompt’ for you Windows users) and change to the directory where your web browser downloads files to (e.g. your ‘Downloads’ directory). Then run the following command…
DON’T CLOSE your Terminal/Command Prompt when you’re done.

openssl req -nodes -newkey rsa:2048 -sha256 -keyout client.key -out client.csr -subj "/"

Open your favourite text editor (e.g. Gedit, Kate, Pluma, Notepad, TextEdit, etc…) and open the file ‘client.csr’ which you just created.

Leave that open and now using your web browser go to cacert.org and login using the ‘Password Login’ on the right hand side, then under ‘Client Certificates’ pick ‘New’.

Tick your e-mail address (if you’ve already earned enough points to be assured, you’ll find you can also add your full name too… this allows you to print a certificate off for the Assurer Test – but it’s mostly vanity) and also tick ‘Show advanced options’ so that we can copy & paste the CSR from our text editor into the area called ‘Optional Client CSR’.

Finally accept the ‘CACert Community Agreement’ and press ‘Next’ (BE PATIENT! the next page will load but it’ll take a while!). Finally click ‘Download the certificate in PEM format’ and rename the file that downloads to simply be named ‘client.crt’.

Finally we need to import your client private key and certificate into your OS/browser. The best way to do this is merge them into a single PKCS #12 formatted file first. Back on your Terminal (or Command Prompt) run the below, it’ll ask you for a password (choose wisely and remember it) which you’ll need when importing it later into your OS/Browser…

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt

Once this is created you should keep a copy of this new ‘client.pfx’ file in a safe place and you can delete (checking things like Trash/Bin/Recycle Bin) any files like ‘client.crt’ and ‘client.key’ which were used in its creation.

Importing into Firefox (on any desktop OS)…

Go to Preferences and find the button for ‘View Certificates…’. Under the ‘Your Certificates’ tab use ‘Import…’ select ‘client.pfx’ and enter your secret password. It’s that simple, but here’s some nice pictures just in case…

Importing into Linux (e.g. Chrome and Opera)…

As mentioned before with the root and intermediate certificates, this essentially just covers Chromium based browsers running on Linux (as Firefox is covered above and Linux has no common certificate store).

In your Settings go to ‘Manage certificates’ then under the tab ‘Your certificates’ use the ‘Import’ button, select ‘client.pfx’ and enter your secret password. As ever, here are some handy images to show the steps…

Importing into macOS (e.g. Safari, Chrome, Opera and Edge)…

Just open the ‘client.pfx’ file from your Downloads directory, it’ll prompt you for your normal macOS user password and then afterwards ask for your secret password. At this point it’ll be installed and you can close the ‘Keychain Access’ program, you may need to completely close and re-open your web browser for it to work too. Here are some screen shots…

Importing into Windows (e.g. Edge, IE, Chrome and Opera)

Open the ‘client.pfx’ file from your Downloads folder and follow the default options of installing it for the current user & automatically select the store, just provide your secret password. Screen shots below…

Take the Assurer’s Challenge!

Basically head on over to cats.cacert.org using whichever OS and browser you’ve properly got your root, intermediate and personal client certificate and key installed into. Click ‘Login’ and it should confirm your details. If you included your full name in your client certificate it should show here, otherwise it’ll just be your e-mail address… click ‘Yes’ if it all looks good at the bottom.

You may find this particular part of the CAcert wiki handy when taking the test! http://wiki.cacert.org/AssuranceHandbook2

To start the test click ‘Tests’ on the top and then on the right you’ll see ‘Assurer’s challenge (EN)’ and ‘start test’.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.