[lugm.org] Fwd: [New post] Adding CACert root certificates to your Slackware
Jheengut Pritvi
z.coldplayer at gmail.com
Wed Mar 22 13:48:45 UTC 2017
Anyone who has trust issues with CACert??
---------- Forwarded message ----------
Subject: [New post] Adding CACert root certificates to your Slackware
To: z.coldplayer at gmail.com
alienbob posted: "Long before the "letsencrypt" initiative, we already
had another free and open Certificate Authority, called CACert.org.
CACert is community driven, and uses 'assurers' who personally verify
users' identities, thereby building a "web of trust". Unfortunat"
New post on Alien Pastures
Adding CACert root certificates to your Slackware
by alienbob
Long before the "letsencrypt" initiative, we already had another free
and open Certificate Authority, called CACert.org. CACert is community
driven, and uses 'assurers' who personally verify users' identities,
thereby building a "web of trust". Unfortunately, the big players on
the Internet (Google, Mozilla, Microsoft) have always refused to
accept and incorporate the CACert root certificate into their
browsers. Instead, after many years of imploring these companies to
add CACert as a trusted Certificate Authority without any success,
they spat in the face of the community and launched their own
alternative for free SSL certificates: letsencrypt.
And therefore, even today, a site that uses a CACert-issued SSL
certificate is flagged by browsers as untrustworthy. In my opinion.
this refusal to accept a community-driven security initiative is
nothing short of bullying.
My own server, bear.alienbase.nl, uses a CACert-issued certificate.
Folks, it is secure to use https on it! Even when Chrome or Firefox
says it is not. So, how to fix that bogus warning message?
For Firefox, just add an exception for the SSL certificate. For Chrome
and for the OS in general: import the CACert certificates as follows:
Add the CACert root and class3 certificates to your Linux system. As
the root user you download the two .crt files, copy them to
/etc/ssl/certs and generate openssl hashes (I used backslashes to
indicate that some lines are wrapping because the text would otherwise
not be visible on this page):
# cd /tmp
# mkdir CACert
# cd CACert/
# wget -O cacert-root.crt http://www.cacert.org/certs/root.crt
# wget -O cacert-class3.crt http://www.cacert.org/certs/class3.crt
# cp -ia cacert-*.crt /etc/ssl/certs/
# cd /etc/ssl/certs/
# ln -s cacert-root.crt \
`openssl x509 -noout -hash -in cacert-root.crt`.0
# ln -s cacert-class3.crt \
`openssl x509 -noout -hash -in cacert-class3.crt`.0
Then add the CACert root certificate to your Chromium browser. Do the
following as your regular user account in addition to the steps you
just took under the root account (see also
http://wiki.cacert.org/FAQ/BrowserClients#Linux)
$ cd /tmp/CACert/
$ certutil -d sql:$HOME/.pki/nssdb \
-A -t TC -n "CAcert.org" -i cacert-root.crt
$ certutil -d sql:$HOME/.pki/nssdb \
-A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
And you'll end up with a trusted site next time you visit my 'bear' server:
ags: ca, crt, ssl | URL: http://wp.me/pkfu1-Jd
http://alien.slackbook.org/blog/adding-cacert-root-certificates-to-your-slackware/
More information about the Discuss
mailing list