Mirror of the Rel4tion website/wiki source, view at <http://rel4tion.org>

[[ 🗃 ^yEzqv rel4tion-wiki ]] :: [📥 Inbox] [📤 Outbox] [🐤 Followers] [🤝 Collaborators] [🛠 Commits]

Clone

HTTPS: git clone https://vervis.peers.community/repos/yEzqv

SSH: git clone USERNAME@vervis.peers.community:yEzqv

Branches

Tags

master :: access /

ssl.mdwn

This guide explains how to tell your computer to recognize and trust a Certificate Authority. This is required in order to establish secure connections over the internet. Many web services and websites use centralized CAs for this, and your computer already trusts many many such CAs and all their signatures without asking you. Some websites are against this, so you’ll need to add their CAs manually. Don’t worry, it’s very easy.

From now on, “web service” and “website” refer to web services and websites which use independent CAs, and offer you a way to add them manually.

There are two ways to do this. If the web service uses Monkeysphere, all you need to do is sign its PGP key. If not, you’ll need to install the CA certificate manually. Both are quite simple, although Monkeysphere requires some basic initial setup.

At the moment, most software doesn’t yet support Monkeysphere, so you can do both: Take the Monkeysphere path for software which does, and add the certificate manually for software which doesn’t. Actually, this may cause Monkeysphere to not be used for those services, because it is not needed when the CA is already trusted through the installation method. However, with time, you’ll be visiting Monkeysphere-supporting websites and browsing them securely without even noticing Monkeysphere takes care of this in the background.

Monkeysphere

See the [Monkeysphere] user guide. [[TODO|TODO/OPEN]] write one

Certificate Installation

First, download the certificate. It’s usually a text file with a CRT or PEM extension. Hopefully the web service makes it easy for you to find and download.

Now you need to verify it. To be precise, you don’t have to, but if you don’t there a risk (maybe a small one, but still a risk, technically) you downloaded a fake certificate. The only way to be sure is to use the computer to help you verify it.

The web service should explain how. One way is to download a PGP signature of the certificate and test its validity. In any case, the web service should provide instructions. Just in case, here’s an example:

$ wget --no-verbose http://www.example.null/example-ca.crt
2014-07-14 10:07:13 URL:http://www.example.null/example-ca.crt
[2667/2667] -> "example-ca.crt" [1]

$ wget --no-verbose http://www.example.null/example-ca.crt.sig
2014-07-14 10:07:13 URL:http://www.example.null/example-ca.crt.sig
[287/287] -> "example-ca.crt.sig" [1]

$ gpg --verify example-ca.crt.sig example-ca.crt
gpg: Signature made IDT 09:29:10 2014 Jul 14 Mon using RSA key ID 937A67EF
gpg: Good signature from "John Doe <jdoe@riseup.net>"
gpg:                 aka "[jpeg image of size 4232]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
              owner.

If your don’t PGP-trust they administrator’s key, this warning is expected. If the web service doesn’t expect you to trust it, it may provide a key fingerprint which you should compare to the one you will get locally. Take the “key ID” from the output you got (in the example above it’s 937A67EF) and run:

gpg --recv-keys 937A67EF
gpg --fingerprint 937A67EF

You’ll see the fingerprint in the output.

Finally, if it’s valid, install it.

$ su
# cp /home/joe/Downloads/example-ca.crt /usr/local/share/ca-certificates
# update-ca-certificates

You will see output like this:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:example-ca.pem
done.

The permissions look like this:

# ls -l /usr/local/share/ca-certificates
-rw-r--r-- 1 root staff 2667 Jul 13 11:43 example-ca.crt

As mentioned above, some programs have their own certificate lists, and ignore the system list. Maybe it helps them be portable and independent, but it hurts integration and ease of use. Here are some examples. It should work in a similar manner for other applications.

Iceweasel/Firefox

[[TODO|TODO/OPEN]] write

Claws Mail

[[TODO|TODO/OPEN]] write

Evolution

[[TODO|TODO/OPEN]] write

[See repo JSON]