This page was last updated in 2016-10. General information is approximately correct, but there may be errors in the finer points. Also technology has improved, attacks have improved, companies have come (Let's Encrypt) and gone (Symantec).
Contents: Subject Alternative Name, Server Name Indication, S/MIME, Client Certificates, PGP, Pans CA, .
Subject Alternative Name
The X.509 Subject Alternative Name (SAN) extension to a certificate allows your server to be addressed by different names without throwing certificate errors. If your site can be known by more than one name, for example, people type an unqualified host name in the intranet, then you will want to use Subject Alternative Name extensions to make their life more trustworthy.
Server Name Indication
How many IPv4 addresses are there? Not enough, and they're all allocated. So if you're going to pack multiple HTTPS sites onto one IP address then you'll need to use a Server Name Indication in the Client Hello. What does that mean? Good question. Allow me to explain (or simply hire me to explain).
S/MIME is a way to sign and/or encrypt email from one person to another. Only the recipient can read the encrypted email, and only the sender can stamp their signature onto the email. This has the benefit of stopping people from snooping on the email in transit, as well as preventing someone without the private key from reading the email, even if they steal it off a mail server along the way.
With a client certificate, as issued by Comodo or CACert.org, you can identify yourself to websites that ask for a client certificate and you can sign your own email. Software support varies.
Visit their website to get started.
You can also generate a client certificate by hand and either self-sign it or send it to someone else for signing.
PGP / GnuPG
PGP operates much the same way as S/MIME and the Certificate Authority works, except the algorithms and authors are different, the software support is different, and the distribution of keys is different. The underlying mathematics and the way it protects your mail in transit and at rest is identical.
Whilst you need to generate a client certificate in your browser or with OpenSSL/LibreSSL and then have it signed by a certificate authority (usually for a fee), all of PGP is free and there is no central authority. The only people who trust you are those you've met and verified in person.
Here is this author's GPG fingerprint and public key. You can track this on keybase.io/tipene:
pub 4096R/B3B4BBF5 2014-06-13 [expires: 2019-06-12] Key fingerprint = 40DD 95E4 4778 0BA2 8B0E 7C08 6E1F 88E4 B3B4 BBF5 uid Stephen D. Cope <gpg sdc org nz> sub 4096R/6F6A3CF3 2014-06-13 [expires: 2019-06-12]
You can import this into your keychain by doing something convenient and potentially dangerous such as one of the following:
1# lynx -dump https://obvi.us/crypto/ | gpg --import 2# gpg --recv-keys B3B4BBF5
The first option dumps this webpage into gpg, and gpg sees this next block and imports it into your keyring. The second option contacts a local keyserver and grabs my public key from there. Since you're on this page the first option is the best.
After this you'll need to ring me, verify my identity, and then we can verify this fingerprint before you trust my certificate. If you trust me, please sign it and upload the proof.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQINBFOak3EBEAC5zWt7XcAjAbaJcNfpxUK5BDAahUxWMZkqawwuDpFBejfVc1/i wTE+kyPQt11ZHFdYjmZYJtO7jpp6iQ8q8FUd8DYxNf9PxMsoH6aDnGy/hWhXdeJv RUiKcetxwszRhXxBF9tq7JSjo55kDJWzbYzvG+nvm9d1YVekUJCO3UfKoLvuQmDs I8FhmHzSCiDVdx391eFJhbQcQ/O9DsLhKL+h80lgdIM5SeKvP9MjF91VtQHkD0PE y7KSPrHLoBijnvJts1700vwIDBGuins4IuFF+HoUxpF6zWQXnO58M7EcddCmHK8a hvaMIJYWI3MJrBuGDafwk2pjJWG2crP8FUbXPmEo2n5w67JBBzmfxcm/D9lst6av 9mwjTnvhxFC71IfCnl9FpYrgbk0leWM77+z4W+prsI/v7jiImrFCsON6bl0axlON 7o4ES5zI1DFatd7dSF7OM4vJHgcFPG//l4Hv4uGVJbkzUgt3/+1Y719pB4llevBc 3rd2jh7DoVpYheJXefnTBUmTOlo9fmJ0pBTdhqkq7dIkqkygEnzIaZlBbkQAa3Gq G4wkJ84ZY8WM/U4HpWi80rK6T4BwXu2e/2A7PMa97m9GI7blDTtzP9AOy0PaKnEp bb8kESzEVCjQt3F4o1dnYgrbxB0r5gk0n2hI4SQEtPD+WJ1EjlWnIo1kZwARAQAB tCBTdGVwaGVuIEQuIENvcGUgPGdwZ0BzZGMub3JnLm56PokCPgQTAQIAKAUCU5qT cQIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQbh+I5LO0u/W9 HA/+JmPOkU2pZDkf1lmsrae67kcSH4cX+5pqS03mcUYT7F1cJRlzSALF0rNpdKmT ZVajKvYgeH8tkDAskJwbJaQvFR9V02vxoE/IhzyH4JjUSpVLGxt+cKLJhGN+zkkA fxzPgUVdB46l9jkNmZSgQ0i3jEZUDPfVu//TJEZCgWFMAvFkM001W4wPiNsnp3cP Fktgl1sIHDTeCyXukTOiYeViHctw4n99Wws1XPW5+cNnghl4Qyp9TQbJgpxpCyQ1 Nux8nlsN5uytAamthth03CSGGbD05EcnJF6S2tZA1ooGespX8aBEdRBjGr4AEDgK VGWFO0SQz679goBTD6/1UEFdvzhQRk4NwbQq//vnlC4T6CgJE+Oxy3eQMokABTtv oAaFDBRAqGhxhjLZ1DYlaLtfi+Sg9oXqUhH5YLGmA+cX/zuwfDKjId7FbIkUuNgy avdYIf8cDfHeRZJpyZkUgJZv0qOOJwjp5TYFq7Pi7t6Uiv29Sh5PNLJar0RjVa9t zFYBGkOZN7MSc+0Gx4eWIrM+kq77mv+YsyajIgWH6HfBJKrQ5scQb734yICbpSJN oZZ4+ow7A4tGaRMnfc8+IYWMTcPXCgj/Eoc8o03VPP65qVPglyhsE4DYOIAuvGPN K1LViYId2IsbQkbkbpWuHLqmR3TulFcjGyTx1amVEXtr0qC5Ag0EU5qTcQEQAKsz Cpqm7rgkfvV9oYyZu8vnN9pvgVG75wyWKjC4UO16I13dY22Njwu1JbwEba0C4sgs jFGtqENrWX8KaCrLA5PRuwJzPyt8wJRNHJ7/oXJ9v1zIBK12YQToQb0vj3ZyxASr 8L5GfPFEml7BQis/ZMdyux/MbVkVjmQo2mWBRH+Ocibwfos1VCT+zEwsAFRek1rL /7GWyy+xbOXQ9mXULIewcmwt9hYlzJrcsN8EOutGsSNQ2/LJhoD9lY/iK3wyP8hl v4n0Mw5ApydVD8Lf8V6F16t762W7rk3c1UUUdgzJi4GuKFnuuts7MzViA0kHSZkd AN75XfZEKqCAsFJwmHUk/X/Muoh8k0ICZvAzd0WiKX0OiD2/Q+mW4OfF8jYSTDj3 QDAsn+2Cxa3u+LP1wkJgpmKShOQsLbz2NLwr2Fg41PTHml3jBKVAzVnAhOxm6aVu AI/FjpysmN39+NewpaI3/XHHW0ZlReLaMooQ7Q65mEOpl++nv98wTfN1jVImtT52 wI+4SvpLkLlLjdquIIy4URtpmivsC6hSMRt3zyODifFWaMrEkXi8b4Ici6OR/Th8 RB+Ek0/dm6qY3rg4WdKpJ4RCJZ1dUPKmd1YWACA14Uepdvfv0JnClsL7PtcHgija qBPCtjnPuNv4ojWcTanTbsI9wSyPhvyaCbH+tfVbABEBAAGJAiUEGAECAA8FAlOa k3ECGwwFCQlmAYAACgkQbh+I5LO0u/VqoBAAntU2+IgXOxkQ2/qv51963PB8NhJJ MAQCVXm9M3p+KfBeLUWabwWHZhqZJ8wz9mCEB5Zie64qHhMRBgYEgVinL8x3CO+8 iPvdr9AjNnBoZleZxQ7HtDsVGn08AC9vtj3QLmRO1M2Wu21wXSUsqJaghVkT8McR kX7dOYjcVvFGMHneFQ0zEasFZ/U+s8GhLGHEtvxvlBPO/46iNv8gXdreH3lY2hSR 4nZqxvhjmBO0mkIOcmDl3gXvxDbM0WwjbMNiKZfWftD9bCio8L4qPdK3LD2nU4c+ kAR7BVwTSxiiwvjXOJBjZzVBSvwD8JwXNIUf5B52DfRRwM5aBkuMpCnUsGKUWIGL uc1afJ9c7D8rr9G+8u3R5GWi6yv1n7IvAunD9iYkCi3QNpxwWIy0N4YvYq1J7Dc5 Jo6mnFKRPIU7mE+ZCjP5q7V+FlnR0iVjboFxmF7mtU1dlMtIOroRPCriatSRx6rY 8bmj9pfcmuVUpRI7Khu+yJHcWwFqxpDtcvlgJ+8QO8OEcJg94Wy4RJHCwkSHUftN KKeDdDUwveuPk6LxFQTt5O0bAoKvODiTIs52E1nYdIOUjo8RybIhv6pb7JOQQ7oq +lqCe2w/NTOt3A08z7PfT5866qeJBF1g1r7TFDINJ9jYeERZpFLABxNKbdLkLD70 ki2FvbBe28kEaWc= =Icxq -----END PGP PUBLIC KEY BLOCK-----
If you're signing my key because you trust me and have verified that it is indeed mine, please upload it to a keyserver so we can all enjoy the web of trust. Thanks!
Please ring me to verify the GPG fingerprint above. The key can be found on all good keyservers.
Once you trust me and trust my key, make sure you inform GPG by locally signing it. Then you can use it to verify other files and messages I have signed.
# gpg --sign-key B3B4BBF5 # gpg --send-keys B3B4BBF5
Cryptography and PKI Tutorial by Lawrence Hughes
Not so long ago this page explained how one could install the Pans CA (Certificate Authority) on your computer. I leave this here as a general purpose way to install a Certificate Authority of your choice onto Linux. Before I ran Pans CA I ran Snap CA, and before that I ran one a previous employer.
I have run various Certificate Authorities from until late 2014. The work done by CACert.org and Let's Encrypt is excellent so there is no longer any need for me to run my own authority. Install the CACert.org root (if you trust them - don't take my word for it) and use them to your heart's content.
To install your own certificate authority, download the CA's public key, eg, CACert.org Class 1 PKI root.
On Ubuntu 13 or 14: Place the file into /etc/ssl/certs/ and then run 'sudo c_rehash'. This creates symlinks to it, and then wget, curl and other commands no longer complain.
On Redhat/CentOS 5: Place the file into /etc/pki/tls/certs/ and then append its contents to /etc/pki/tls/cert.pem
For Firefox, Internet Explorer, Android, etc, they should prompt you for what you want to do when you install the certificate.
Did I mention that you must be absolutely sure you have the right file before you install it?
Are you interested in crypto?
Make your own client certificate.
Would you like to add ChaCha20 support to your website? Add ChaCha20 to your website!
Switching out OpenSSL for LibreSSL is easy.