From LinuxReviews
Jump to: navigation, search is a community-driven SSL certificate authority who issues free public key certificates. One of their main goals is to get their certificate included in as many web browsers and operating systems as possible.[1]


[edit] How it works

You go to their website[2], sign up, send them your certificate request and get a cacert signed certificate.

There really isn't that much difference between a self-signed certificate and one issues by CaCert - and the only real difference between a self-signed and one included in web-browsers is that visitors get a warning you sign a SSL certificate yourself, while those signed by "authorities" are signed using certificates who are in browsers.

Users who have manually installed the CaCert root certificate in their browser do not get a warning when they visit sites signed by them. Many people in the hacker community have this installed, so it is slightly better to use CaCert than it is to sign a certificate yourself.

Most people don't have it installed and do get a warning regardless of you signing a SSL certificate or CaCert doing it.

[edit] Inclusion

There are a few OS who install the CaCert:

.. but most don't. Microsoft has a "verification" for inclusion in IE which basically boils down to this: Pay $75,000 and then pay a yearly +$10,000. This is why CaCert will likely never be included in any MS product.

It's interesting to note that Nokia now include CaCert in some products.

It is also interesting to note that the Mozilla Corporation are not willing to include CaCert in their browsers Bugzilla@Mozilla - Bug 215243: CAcert root cert inclusion into browser</ref>.

[edit] How to get a CaCert certificate

Register at their website. Verify your e-mail address.

Then generate a certificate:

openssl req -nodes -new -keyout private.key -out server.csr

Ignore everything btu "Common Name", which would be something like www.yoursite.tld or *.yoursite.tld. Then cut and paste the server.csr into their form and you get a CaCert certificate.

Then cut and paste the public key you get and the private key into a file, make your webserver aware of it..:

<IfModule mod_ssl.c>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /vhosts/

..and that's it.

[edit] Why use it

Most people do not realize that most Internet protocols, including http, are plain-text. Thus; it is generally a good idea to use CaCert to protect all sorts of web-services who require user-interaction: forums, wikis, and so on.

There are SSL authorities who are included in web-browsers who also happen to be quite cheap. It is better to use such services if you're starting a bank or something else who require that stupid people trust your site. Many of the cheaper services have 128-bit encryption as the "standard" you get. CaCert provides 256-bit for free.

But the real value of CaCert is that it is free, so you can basically wh0re as many SSL certificates you want at no cost. This allows you to slam SSL on every website you have. Well, perhaps not every, because SSL requires 1 IP pr. SSL service. You can't "vhost" SSL. But you can use every IP you have available to provide a SSL service.

That is why CaCert is a good choice for many organizations, people and small corporations: You can run 30 secured websites if you have 30 IPs - at no cost. 30 at-cost certificates .. cost cheap-price*30.

Very ignorant people may not understand the warning they get if they do not have the CA root cert installed and get afraid, but people who have that rare quality called "a functioning brain" will be able to see that encryption is a much better property than plain-text and that "browser inclusion" has nothing to do with security properties and everything to do with greedy corporations applying a unjust tax for basic security.

[edit] References

  1. Cacert Wiki
  2. - Free SSL certs website
Personal tools
hardware tests
Privacy policy
linux events


linux newz | random page | poetry | free blog