In this final part we will add our own root CA certificate to Ubuntus pre-installed certificates. (Part 1, Part 2)
Copy your root CA certificate, that we exported in the previous part, to /usr/share/ca-certificates/. Add the file name to /etc/ca-certificates.conf and run the command:
Most of your services will now be able to find your root CA certificate.
To bring your root CA certificate to your friends, just copy the exported root certificate-file to a USB-memory.
Using your own CA you can now add support SSL to different services like CUPS, postfix(AUTH SMTP), dovecot (IMAP) etc. You can also create certificates to sign and encrypt your e-mails.
Wednesday, June 20, 2007
In this final part we will add our own root CA certificate to Ubuntus pre-installed certificates. (Part 1, Part 2)
Tuesday, June 19, 2007
- export the root CA:s certificate
- import the root CA:s certificate into Firefox
- export the certificate for the web site
- configure our web server to use the web site certificate
Start Firefox, select the Edit-menu and Preferences. Click the Advanced icon and then the Encryption tab. Select View certificates and then the Authorities tab. You can see all the CA:s you trust. Click Import and select the file with your exported root certificate. You can in the Downloading Certificate window control what purposes the certificate has. I select all three purposes.
Click OK and leave the preferences. Then restart Firefox.
It is time to configure the web server. I assume that you already have an Apache http server running. First we must export the web sites certificate and encryption key. Since we signed the certificate with our sub-CA, we must also tell the web server to tell the web browser how to find the right root CA. This is done using a chain file that we export from TinyCA2 too.
Return to TinyCA2 and verify that you have your sub-CA opened. Select the Certificates tab, right click on the web site's certificate and select Export certificate. You may change the file name, then click Save. I use the name of the web site dash cert dot pem as filename, i.e. www.linuxalert.org-cert.pem.
Do the same with the key. Select the Keys tab, right click on the web site's key and select Export key. You may change the file name. I use the name of the web site dash key dot pem as filename, i.e. www.linuxalert.org-key.pem. Do also select "without passphrase" - yes. This lets you start the web server without enter the certificates password. Then click Save. TinyCA2 will ask you for the password of the certificate for the web server.
Go to the CA tab to export the certificate chain. Select the right most icon in the tool bar and save the file.
Copy all three files to the web server's directory /etc/ssl/private/. Configure the web server to listen on the https port, number 443. In Ubuntu, this is done adding the line:
to the file /etc/apache2/ports.conf. Activate the ssl-module with the command:
sudo a2enmod ssl
Create a file in /etc/apache2/sites-enabled named after your site dash ssl, i.e. www.linuxalert.org-ssl:
allow from all
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<directory usr="" lib="" bin="">
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Allow from all
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
CustomLog /var/log/apache2/www.linuxalert.org-ssl-access.log combined
Set the parameters according to your site. Some part depends on how you have configured apache. The important part from this HowTo:s perspective is the SSL-parameters.
sudo /etc/init.d/apache2 restart
Try to surf to your site. If everything works you will NOT get a dialog box were Firefox tells you that it does not recognize the sites certificate.
In the final part of this series we will integrate our root CA certificate with Ubuntus pre-installed certificates.
Monday, June 18, 2007
A Certificate Authorities (CA) issues certificates to people and organization that gives us the possibility to know that we surf to the right web site and not a phising site. This concept can be nice to use on your private sites too, but you may not want to spend a lot of money to get a certificate for your site.
Most common when one installs a web-mail server at home is using a self signed certificate. When one surf to the web-mail server from a friends computer one can not be sure that nobody listens to the traffic if one not verifies the signature of the self signed certificate.
Maybe an easier and definitely a more scalable solution to this is to create ones own CA structure. When we are ready with this how to you will have installed a certificate on your web server, installed the root certificate into your Firefox, and you will have the root certificate stored on a USB-memory stick. First time you want to read your mail from a friends computer you install the root certificate from the USB-memory into the web browser and then your web browser will automatically verify your website and that no one are listening on the internet traffic. This assumes, of course, that your friends computer have no key loggers or other Trojans installed.
The certificates must not only be used for web-mail. You can use it for all network servers that uses SSL, for instance to set up your own VPN. If you give the root CA to your friends you can use it to sign your e-mails.
If you want to know details about cryptography works with certificate and CA:s I recommend you to read Wikipedias page about Public-Key Cryptography.
The easiest way to create a CA is to create one Root CA that signs all your certificates. This means that only one person can sign certificates or you will not be able to see who signed the certificates. We will do it a bit more scalable by create a sub-CA that we uses to sign certificates. Each person that have the rights to sign certificates have its own sub-CA. The root certificate is only used to sign new sub-CA:s.
This also gives you the opportunity to give your friend their own Sub-CA. Isn't that a nice gift? Your friend can then create and sign certificates for his own web server and other network services. When he visits you and surf to his web site he does not have to install any root certificate on your computer. You will share the same root certificate and every service that you signs he will trust and vice versa.
Okey enough with theory lets start doing it. Begin with installing TinyCA2. If you use Ubuntu you will find the package in universe and it is called tinyca.
First time you start tinyca2 you are asked to create a new CA. This will be your root CA. I call mine ROOTCA-linuxalert.org. I also changed the valid days from 3650 days to 7300 days. The password is the password you will use when signing new sub-CA:s. Fill the fields in and then press OK.
You get a new window were you configure the root CA. Set Netscape Certificate Type to "SSL CA, S/MIME CA, Object Signing CA." If you want to be able to revoke issued certificates, which may be good, fill in the two revocation fields with the URL where the revocation list can be found, i.e. https://www.linuxalert.org/ca/ROOTCA-linuxalert.org-crl.pem. Then press OK.
It takes some time to create the CA. When your root-certificate is ready and you get a new window. This is the main window for TinyCA2. There are four tabs in this window. The first, CA, shows information about the CA you currently are working with. The second, Certificates, shows the certificates generated from the CA. The third tab, keys, lists the certificates corresponding keys. Finally on requests tab are requests for signing listed.
One drawback with TinyCA2 is that the icons in the tool bar does not shows any tool tips. The workaround for this is to click on the icons and you g see what the dialog widows that says what the icon does. You can always cancel.
Now it is time to create the sub-CA. Verify that you have the CA-tab selected. Then click on the third icon from the right in the tool bar. You get a new window which is similar to the one when created the root certificate. Note that this says "Create a new Sub CA" and starts with a field where you must enter the password for the root CA. (If you have a hierarchy with several levels then its the new sub-CA:s parent CA:s password.) I call my sub-CA linuxalert.org-CA. The password of the sub-CA must not be the same as the root CA. (It can but its not good in the view of security.) Fill in the fields and press enter.
The sub-CA is created and signed in one step. When the application returns to the main window the newly created sub-CA is the current CA. If you want to go back to the root-CA select the CA-menu and open. Then you will get a dialog with all CA:s you have created or imported into TinyCA2. From now, the only things you should use the root CA for are:
- create new sub-CA:s
- revoke sub-CA:s
- renew sub-CA:s
- export the root-CA:s certificate.
Now its time to create the certificate for the web server or to be correct for the web site. Select the requests tab. Right click and select "New request". You get a new window called Create Request. The common name must be the same name as the users use to access your server, in my case www.linuxalert.org. Once again, you have to enter a password and once again it must not be the same as the previous passwords. (I use the gnome application Revelation to remember of my passwords.) Fill in the form and press OK.
The new certificate will be listed in the requests tab in the main window. Right click on the request and select "Sign request". You get a question if its a server or client request. In this case, select server. You get a new window asking for the CA password. It is now you as a CA approve the request and confirms that the certificate holder is the correct owner of the common name in the certificate and the rest of the information in the certificate is correct. At the same time you will decide for who long time the certificate is valid. Enter your sub-CA:s password and press OK. You have now signed your certificate.
In my next blog we will export the certificates from TinyCA2. Then we import the root certificate into Firefox and configure Apache httpd to use our web site certificate.
Sunday, June 17, 2007
I am setting up my own CA (Certificate Authority) for all my services using SSL on my machines. Yesterday I wanted to import the Root-certificate into Firefox. Thats easy, if it is for a single user. Just click on the root certificate. But if you have a lot of users and computers? One do not want to force each user to do this manually. I want the root CA should be installed on each computer by the administrator and automatically work for the users. This is not possible with Firefox.
The Root-CA:s certificates are compiled into the Firefox binaries and then at first start each user get its own certificate database. There are no central certificate database that Firefox looks into too.
Ubuntu and Debian has a nice functionality where all CA-certs are stored in one place and then used by all well written applications, but not Firefox. I hope this will change in Firefox 3.0.
Saturday, June 16, 2007
This week I got a mail from a guy that wondered about CPU-scaling on MSI S271 running Ubuntu. Since I have had a lot to do I have not had the time to answer it yet. Today I planned to answer the mail, but I can't find it. It's gone, cant be find in my gmail-box. So if you who wrote it read this, you are welcome to contact me again.
The mailer had some problems to get CPU-scaling work with Ubuntu using a AMD-CPU TL-56, which is the same CPU I have. There may be more people interested in this issue. For me the CPU-scaling worked out of the box. To check the CPU-scaling add the CPU Frequency Scaling Monitor to the panel. In the kernel used in Feisty and earlier Ubuntu versions there is only support to for two speeds of AMD CPU:s, full and half speed. I have read somewhere that more scaling is on its way. It would be nice if someone could confirm this.
As far as I know the CPU-scaling is included in AMD Powernow-technology. I have to scripts starting in my runlevel 2, check the /etc/rc2.d directory:
The modules I have loaded that can affect the CPU scaling are:
I hope this give someone some help.
Monday, June 11, 2007
Is Disneys Mickey Mouse violating intellectual properties of the Scandinavian vikings? Take a look at the picture in this article. Isn't that Mickey Mouse? It was found outside Lund in south of Sweden and is from the eight century. Let's sue Disney for violating the intellectual properties of Scandinavian heritage.
Saturday, June 9, 2007
When I ordered my MSI S271 I ordered it with 1GB of memory. When I bought more memory to my and my wifes cameras I also bought 1GB more to my laptop. Yesterday when the memory arrived I discovered that I not had the right Philips driver. A PH-00 screwdriver is needed. I bought one today and have now installed the extra memory in the laptop.
I got a lot of help of the assembly guide from MSI. The assembly guide was a bit tricky to find since it was written for the MSI S262 (MS-1057), which is more or less the same computer as MSI S271(MS-1058).
You need to go throw step 1-1 to 1-11 to expand the memory. Be very careful when you remove the keyboard in step 1-7 to 1-9, the keyboard cable is very fragile. Then you will see were to put the memory. It was covered with some aluminum foil in my computer. How to put the memory into the slot is described in step 3 in the assembly guide.
The MSI S271 has two memory slots and can, according to the documentation, have 2GB of memory. The memory type is SO-DIMM DDR2 533 or 667.
You can check how your memory is configured in Linux and Ubuntu using dmidecode.
Start a terminal and type:
In the output you will find to sections that looks like:
Handle 0x002B, DMI type 17, 27 bytes
Array Handle: 0x0027
Error Information Handle: Not Provided
Total Width: 64 bits
Data Width: 72 bits
Size: 1024 MB
Form Factor: DIMM
Bank Locator: BANK1
Type Detail: Synchronous
Speed: 266 MHz (3.8 ns)
Serial Number: SerNum1
Asset Tag: AssetTagNum1
Part Number: PartNum1
If booth your slots have a value for size, you must replace one memory unit with a bigger one to increase your memory.
Tuesday, June 5, 2007
Today at work I found a wonderful continuous build-tool. One will often start a new build and regression test after each check in to the revision control repository. The tool I found is called Hudson. Some of the feature I have found useful are:
* Reporting by e-mail or jabber when something goes wrong (or when it goes right)
* Builds can start based on time or on events.
* It gives you nice statistics about your build
* For Java projects there are good plug-ins to get statistics about code coverage using Emma and regression testing using japex and JUnit.
* It works against revision control systems
* It can tag the builds, depending on the result
* You can see history of build, and control when they should be purged
* It's easy to install, no external needs except Java.
* Hudson can be used with non Java applications too. (Hudson have support for maven, ant and shell script from the beginning.)
* It looks easy to write your own plug-ins
* A remote XML-API exist.
* It's open source.
I have not found any big drawback. It would have been nice to have some authorization mechanism, but that can be solved by deploying Hudson inside a J2EE/JSP-container.
I think I will try to use it in some python and bzr project on Ubuntu at home too, and not only at work when using Java.
Monday, June 4, 2007
I don't get it. Why does so many people love Java? Okey, the language is today a quite nice programming language and there are a lot of good libraries to it. J2EE has tons of good functionality and is a nice concept. So what is it I do not understand?
People say Java is platform independent. I would rather say that Java is the platform of its own. We talk a lot about virtualization today, and what are you doing when running a Java program. You use a virtual machine, if you not use programs compiled with gcj. Java have a lot of its own monitoring programs and its own memory handling. Where goes the difference between Java and an operating system?
Starting a Java program requires a lot of initialization before the actual program starts to run. I have seen example of a batch software starting several times per minute. The program existed in two equal versions, one written in Java and one in Python. The Python version decreased the load of the system to 1/4 compared to the Java version. So what you do when starting a Java program is actually booting an OS.
A Java program working on one jre is not necessary working on another suppliers jre. Just take a look on the Java programs for mobile phones. I.e. we have instead a dependency to the jre. When people complain of differences between Linux distributions, they should take a look on the differences between different Java versions.
I mentioned J2EE earlier. When taking a J2EE application to production most people say: "This runs on Linux and you can Linux so you can manage it." But, they are totally wrong. In the perspective of the Linux administrator the jre hides everything for him, which make it hard to find bottle necks and tune the system. What one need is a systemadministrator for Java and J2EE.
Since I started to look at Java as it own operating system, things had been easier. I have start learning manage the new OS as I manage Linux, instead of thinking I manage an application. I monitor application both inside the jre and a as a Linux software.
I would not say I love Java, but I accept it and realize that it is the new standard for software development in many organizations. I also appreciate that Sun open sourced Java and that Sun Java is included in Ubuntu.
The open source step for Java makes it easier to incorporate Java with other Open Source softwares, and probably increase the acceptance of Linux and other Open Source products by non open source people. The inclusion of Sun Java in Ubuntu, and probably other distributions too, will make the desktop easier for normal people to use and therefore also accept it.