|
|
|
|
@ -124,15 +124,20 @@ The class 3 certificate must contain the following fields:
|
|
|
|
|
`CA: true, patLenConstraint: 0; critical`
|
|
|
|
|
|
|
|
|
|
- [Extended Key Usage](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.12):
|
|
|
|
|
`server auth, client auth, email protection, code signing, OCSP signing, SmartCard logon, anyExtendedKeyUsage`
|
|
|
|
|
|
|
|
|
|
not set
|
|
|
|
|
|
|
|
|
|
*Note:* `server auth, client auth, email protection, code signing, OCSP signing, SmartCard logon, anyExtendedKeyUsage`
|
|
|
|
|
might be a good option, but might confuse at least some relying party applications
|
|
|
|
|
|
|
|
|
|
*Note:* this will not be sufficient to fulfill the
|
|
|
|
|
[Google requirements for S/MIME certificates](https://support.google.com/a/answer/7300887)
|
|
|
|
|
|
|
|
|
|
- [CRL Distribution Points](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.13):
|
|
|
|
|
http://crl.cacert.org/class3-revoke.crl
|
|
|
|
|
http://crl.cacert.org/revoke.crl
|
|
|
|
|
|
|
|
|
|
*Note:* CRL URLs must use the http URL scheme
|
|
|
|
|
*Note:* CRL URLs must use the http URL scheme, this must be the CRL issued
|
|
|
|
|
by the signing CA (in this case the Root CA)
|
|
|
|
|
|
|
|
|
|
- [Authority Information Access](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.2.1):
|
|
|
|
|
|
|
|
|
|
@ -142,3 +147,54 @@ The class 3 certificate must contain the following fields:
|
|
|
|
|
- OCSP: URI:http://ocsp.cacert.org/
|
|
|
|
|
|
|
|
|
|
*Note:* CA issuers and OCSP URLs must use the http URL scheme
|
|
|
|
|
|
|
|
|
|
# Re-Signing procedure
|
|
|
|
|
|
|
|
|
|
According to https://wiki.cacert.org/SystemAdministration/Systems/Signer the signer is running a Debian 5.0 Lenny
|
|
|
|
|
minimal system based operating system. The procedure documented here has therefore been tested using a Debian 5.0
|
|
|
|
|
virtual machine.
|
|
|
|
|
|
|
|
|
|
## Generate a CSR from the existing private key and certificate
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
|
export TZ=UTC
|
|
|
|
|
openssl x509 -key class3.key.pem -x509toreq -in class3.crt.pem -out class3.csr.pem \
|
|
|
|
|
2>&1 | tee -a class3-signing-$(date +%Y%m%d).log
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Sign the new CA certificate with the openssl configuration file
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
|
TZ=UTC \
|
|
|
|
|
openssl ca \
|
|
|
|
|
-config openssl-class3-resign.conf \ # use CA re-signing configuration
|
|
|
|
|
-extensions class3_ca_ext \ # use class3 CA extension section
|
|
|
|
|
-in class3.csr.pem \ # use the CSR from the previous step
|
|
|
|
|
-startdate $(date +%y%m%d%H%M%SZ --date="today") \ # use the current date
|
|
|
|
|
-enddate $(date +%y%m%d%H%M%SZ --date="today + 5 years 0:00") # use 5 years later
|
|
|
|
|
-out class3.crt.pem \ # output class3 certificate
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Post-signing changes on the signer
|
|
|
|
|
|
|
|
|
|
Certificates signed by the new class3 CA certificate should contain links to the CRL, OCSP and DER CA certificate URLs
|
|
|
|
|
of the new class3 certificate. It would be a good idea to decide and document these URLs in advance.
|
|
|
|
|
|
|
|
|
|
The CA extension configurations for the different types of end entity certificates should be configured on the signer
|
|
|
|
|
accordingly, i.e.
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
[client_ext]
|
|
|
|
|
authorityKeyIdentifier = hash
|
|
|
|
|
basicConstraints = CA:FALSE
|
|
|
|
|
keyUsage = digitalSignature,keyEncipherment,keyAgreement
|
|
|
|
|
extendedKeyUsage = emailProtection,clientAuth,msSGC,msEFS,nsSGC
|
|
|
|
|
crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl
|
|
|
|
|
authorityInfoAccess = caIssuers;URI:http://www.cacert.org/certs/CAcert_Class3Root_x14E228.der, OCSP;URI:http://ocsp.cacert.org
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
*Note*: it might be preferable to use a stable URL like http://www.cacert.org/certs/class3_ca.der instead of using a
|
|
|
|
|
name containing the serial number. URLs that will cause redirects should be avoided, because some relying party
|
|
|
|
|
applications may not follow redirects.
|
|
|
|
|
|
|
|
|
|
The OCSP, CRL and CAIssuers URLs should use the http URL scheme.
|
|
|
|
|
|
