From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/77662 Path: news.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.gnus.general Subject: Re: SSL certificate issues for git.gnus.org Date: Fri, 11 Mar 2011 06:57:41 +0100 Message-ID: <87lj0mfbca.fsf@latte.josefsson.org> References: <87sk71o198.fsf@lifelogs.com> <87y6glrcpd.fsf@lifelogs.com> <87pr1xrb7g.fsf@lifelogs.com> <87fx2tq8nx.fsf@lifelogs.com> <87r5m6gvgb.fsf_-_@lifelogs.com> <87sjvb7p4z.fsf@lifelogs.com> <8762s7n3gq.fsf@topper.koldfront.dk> <87fwrb67zq.fsf@lifelogs.com> <87wrknlnz4.fsf@topper.koldfront.dk> <8739n80x9j.fsf@lifelogs.com> <871v2rg9g4.fsf@dod.no> <87wrkj15yb.fsf@lifelogs.com> <87bp1m3kpx.fsf@lifelogs.com> <87lj0ne2cq.fsf@latte.josefsson.org> <877hc663xo.fsf@latte.josefsson.org> <87sjuuiqj0.fsf@lifelogs.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1299823087 30618 80.91.229.12 (11 Mar 2011 05:58:07 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Fri, 11 Mar 2011 05:58:07 +0000 (UTC) Cc: ding@gnus.org To: Ted Zlatanov Original-X-From: ding-owner+M25985@lists.math.uh.edu Fri Mar 11 06:58:03 2011 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1PxvMQ-0007Fp-3F for ding-account@gmane.org; Fri, 11 Mar 2011 06:58:02 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1PxvMM-0002lW-5D; Thu, 10 Mar 2011 23:57:58 -0600 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1PxvMK-0002l8-DT for ding@lists.math.uh.edu; Thu, 10 Mar 2011 23:57:56 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx1.math.uh.edu with esmtp (Exim 4.72) (envelope-from ) id 1PxvMF-0005Uu-Hp for ding@lists.math.uh.edu; Thu, 10 Mar 2011 23:57:55 -0600 Original-Received: from yxa-v.extundo.com ([213.115.69.139]) by quimby.gnus.org with esmtp (Exim 4.72) (envelope-from ) id 1PxvMC-0004Vz-Ak for ding@gnus.org; Fri, 11 Mar 2011 06:57:48 +0100 Original-Received: from latte.josefsson.org (c80-216-4-108.bredband.comhem.se [80.216.4.108]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p2B5vfTQ012011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 11 Mar 2011 06:57:42 +0100 OpenPGP: id=B565716F; url=http://josefsson.org/key.txt Mail-Copies-To: nobody X-Hashcash: 1:22:110311:ding@gnus.org::S7oIUG3JNNXkz4oV:0/wj X-Hashcash: 1:22:110311:tzz@lifelogs.com::yecSYtLJj0JkrAa0:7sl8 In-Reply-To: <87sjuuiqj0.fsf@lifelogs.com> (Ted Zlatanov's message of "Thu, 10 Mar 2011 16:01:23 -0600") User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/23.2 (gnu/linux) X-Spam-Status: No, score=-0.8 required=5.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_96_XX,RDNS_DYNAMIC,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on yxa-v.extundo.com X-Virus-Scanned: clamav-milter 0.96.5 at yxa-v X-Virus-Status: Clean X-Spam-Score: -1.9 (-) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:77662 Archived-At: Ted Zlatanov writes: > On Thu, 10 Mar 2011 22:50:11 +0100 Simon Josefsson wrote: > > SJ> Steinar Bang writes: >>>>>>>> Simon Josefsson : >>> >>>> I think anyone who is already a CACert member could help with this, by >>>> claiming ownership of the domain and then requesting certificates. I >>>> happen to be a member, so if I can help, let me know. Generating the >>>> private key and certificate request is relatively easy too. >>> >>> I am also a member but I though I only could request certificate signing >>> for sub-domains of the one I'm the member as...? > > SJ> You can become "owner" of any domain by entering the domain under > SJ> cacert.org Domains->Add when you are logged in. The domain owner will > SJ> get an e-mail to confirm the operation, but if he accepts then you can > SJ> get server certificates for that domain through CACert. > > Oh, I see. I didn't know that. > > Could you do the request? You're probably the best person to do it. I have made the request -- but Lars will need to approve it. Lars, to generate the git.gnus.org certificate, please run something like this and send me the CSR at the bottom (it is fine to post to the list, it is not security sensitive) and I'll paste the request through cacert and get a certificate back: jas@latte:~$ certtool -p --outfile git.gnus.org-key.pem Generating a 2048 bit RSA private key... jas@latte:~$ certtool -q --load-privkey git.gnus.org-key.pem Generating a PKCS #10 certificate request... Country name (2 chars): Organization name: Organizational unit name: Locality name: State or province name: Common name: git.gnus.org UID: Enter a dnsName of the subject of the certificate: git.gnus.org Enter a dnsName of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): y PKCS #10 Certificate Request Information: Version: 1 Subject: CN=git.gnus.org Subject Public Key Algorithm: RSA Modulus (bits 2048): c6:53:c1:43:9a:8e:5d:f5:89:10:27:00:7d:42:ff:6c a3:4f:bb:0c:58:c4:6c:9a:73:be:1d:6a:b5:e7:09:1c 1f:de:53:20:de:30:2a:52:a5:96:3a:57:ce:32:02:e8 e8:1d:2c:91:fa:c4:ed:95:84:95:b3:f9:91:3a:df:02 d3:76:75:c6:09:2f:4e:16:f8:cb:ea:83:fb:58:e5:91 52:ea:ef:74:7d:a5:9e:61:38:44:0f:de:92:b7:4a:f4 ff:c5:93:6a:21:d2:cf:83:9c:cb:af:17:74:88:5f:87 9a:63:8a:b9:f0:2b:1d:94:c8:f7:e1:ea:53:33:5e:d5 c3:8f:83:c0:98:f1:9d:69:b6:8d:be:e9:27:ce:82:f6 52:90:ea:d9:21:46:fc:04:95:27:0c:f8:6d:aa:51:fe 11:3f:c3:f1:0a:ac:de:d5:bc:88:7f:73:bb:25:61:d2 44:07:21:96:b9:4d:4f:c3:1a:35:be:41:2e:d5:5e:f6 0e:a2:6f:56:40:a1:f5:e0:f5:85:1d:8b:24:db:c3:fe 92:94:ce:23:cf:06:cc:1b:a2:f3:d6:bf:85:10:03:d8 0d:ac:3d:d2:10:ba:bd:ea:4d:e8:42:5a:a7:49:e8:c3 8d:86:dd:a0:09:77:62:43:ce:95:82:3c:8f:f4:c6:f3 Exponent: 01:00:01 Attributes: Extensions: Subject Alternative Name (not critical): DNSname: git.gnus.org Basic Constraints (critical): Certificate Authority (CA): FALSE Key Usage (critical): Digital signature. Key encipherment. Key Purpose (critical): TLS WWW Server. Other Information: Public Key Id: 4dff66171012fd06f4ebe4206d4041cd4d020183 -----BEGIN NEW CERTIFICATE REQUEST----- MIICvTCCAaUCAQAwFzEVMBMGA1UEAxMMZ2l0LmdudXMub3JnMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxlPBQ5qOXfWJECcAfUL/bKNPuwxYxGyac74d arXnCRwf3lMg3jAqUqWWOlfOMgLo6B0skfrE7ZWElbP5kTrfAtN2dcYJL04W+Mvq g/tY5ZFS6u90faWeYThED96St0r0/8WTaiHSz4Ocy68XdIhfh5pjirnwKx2UyPfh 6lMzXtXDj4PAmPGdabaNvuknzoL2UpDq2SFG/ASVJwz4bapR/hE/w/EKrN7VvIh/ c7slYdJEByGWuU1Pwxo1vkEu1V72DqJvVkCh9eD1hR2LJNvD/pKUziPPBswbovPW v4UQA9gNrD3SELq96k3oQlqnSejDjYbdoAl3YkPOlYI8j/TG8wIDAQABoGEwXwYJ KoZIhvcNAQkOMVIwUDAXBgNVHREEEDAOggxnaXQuZ251cy5vcmcwDAYDVR0TAQH/ BAIwADAPBgNVHQ8BAf8EBQMDB6AAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0G CSqGSIb3DQEBCwUAA4IBAQBLijy0bHwYLkb7ZwOlHfX9yjRvOrTPfe7/g8N1uD8y hPChDpCbmQtdsbDQW1r9Bz8AiixtkfrAvz0UYuc6jTsqkD+P6hGb8g+oayJt4O2B FA5sgcp6ydmjRicdt3uucbtB0uPr0gpMdqTQjwo6RL4YzhyG1HiVPGPbLNVu7T+7 0otyN2QPC6eHtgLqPel8LnJyJ0qqCdBVM0dGLWWrxHJYSQB+pCdhPJH/8YK8T7+D Zo4/leWGihU+Ga90hYnPDFALhCU30XGCZItHjW4p5miS/vW/KGGqdWH55zpIM6ZE cEIZVmUx1doYrKI7GOZm/X5dtrZgxCxhtIIebkHfRgTp -----END NEW CERTIFICATE REQUEST----- jas@latte:~$ /Simon