2015-01-01 13:56:03 -07:00
# SSL Certificate Authority
2015-01-26 23:18:00 +00:00
internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains or 172.22.0.0/15 ip addresses.
The name constraints can be verified for example by using openssl:
```
openssl x509 -in dn42.crt -text -noout
```
which will show among other things:
```
X509v3 Name Constraints:
Permitted:
DNS:.dn42
```
2015-02-14 17:33:15 +00:00
Certificate fingerprint
```
$ openssl x509 -sha256 -fingerprint -noout -in dn42.crt
SHA256 Fingerprint=8C:8E:C1:12:DB:85:3E:59:CB:1A:DF:90:74:A4:0C:83:B5:ED:57:1E:BC:06:E0:0D:80:B3:47:68:11:77:E1:C9
```
2015-02-14 16:06:49 +00:00
**Test Sites with a bad key**
The following sites have been setup to demonstrate the key failing when signed for invalid subject alternates.
2015-02-14 16:09:35 +00:00
[badkey.sour.is ](https://badkey.sour.is )
2015-02-14 16:07:06 +00:00
2015-02-14 16:09:35 +00:00
[badkey.xuu.me ](https://badkey.xuu.me )
2015-02-14 16:07:06 +00:00
2015-02-14 16:09:35 +00:00
[badkey.xuu.dn42 ](https://badkey.xuu.dn42 )
2015-02-14 16:06:49 +00:00
2015-01-26 23:18:00 +00:00
If you would like to trust the certificate import the following:
2015-01-01 13:56:03 -07:00
```
-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIJALhBYKXcLej6MA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV
BAMTHURONDIgSW50ZXJuYWwgQ0EgKFVOVkVSSUZJRUQpMB4XDTE0MTIyMDE4NDAw
NVoXDTI0MTIxNzE4NDAwNVowKDEmMCQGA1UEAxMdRE40MiBJbnRlcm5hbCBDQSAo
VU5WRVJJRklFRCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDViXIb
VcWw+tnZCbZuy3ME4vQJsiX5ik5WkqkBaj5vk7zt+Ca8XvaM8cqppb8kEOCkC+MV
/qp5R2BAukKAAcmACQ9FHx6XYGxMQztU9tTMUuAqWH8JihWjBSoEfBQ9UpJHbgvo
7AAY382rcaLQJs3QgxtNiUjeblPlAy6AE3TUBEiNwa7MTZ7f2YHbVF/9DpvUZee6
KytOalzgbKcuFsquf4vIBtcKav1Qwmdr8eehQHdo8Nxv32uZqd272Q+EInFmzDPu
KpJdhwc/7S/+ohL/fs6RQphnJvLR572cXTzwEIkFAGqym3Fx30Q7Keoq6Cx46yez
lwL2k7C82bE4c+//AgMBAAGjgbMwgbAwHQYDVR0OBBYEFNeJoQrHPqh2SMplqb1V
ac9OWmkiMFgGA1UdIwRRME+AFNeJoQrHPqh2SMplqb1Vac9OWmkioSykKjAoMSYw
JAYDVQQDEx1ETjQyIEludGVybmFsIENBIChVTlZFUklGSUVEKYIJALhBYKXcLej6
MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBQGA1UdHgQNMAugCTAH
ggUuZG40MjANBgkqhkiG9w0BAQsFAAOCAQEAMqVN55ruWA70znyWMB9+A4BcsFgI
uFVZIOnJEy72Nsz0VvfEEW/3rxKs0UnLcnfBHlx2WHdD2zUJLiTAf6ziRhXpFPXY
Ys3RJFE/8ZDVH3+dGOBekJusDX0YQcwXA/NVO2ogM6WIRIz7QabvOIJBaYXu71ZB
ci29iKFLJ4dsUG69hoeDghwkij2mCR2G/tP+xbrb7xGM73tDjuzmESYlUAVgKtlH
gfcWBU6anZMFJV9Y2lkNhxw5G7JMDSYsfONskzPet9HeHrmu67EnXMapELCjZL3O
X0KmpxYGil6Ly5xImaVqwxnm7wlDiNT6vd0cPgtKd/YynPFNw9Eh+MSamw==
-----END CERTIFICATE-----
```
2015-02-14 18:27:04 +00:00
If you would like to have a certificate signed by this CA send a CSR to xuu@sour .is
2015-02-14 17:33:15 +00:00
2015-02-14 18:27:04 +00:00
**Import the certificate**
2015-02-14 17:33:15 +00:00
2015-02-14 18:27:04 +00:00
- In archlinux you can install the package [ca-certificates-dn42 ](https://aur.archlinux.org/packages/ca-certificates-dn42 ) from AUR
- cacert have a comprehensive FAQ on how to import your own root certificates in [browsers ](http://wiki.cacert.org/FAQ/BrowserClients ) and [other software ](http://wiki.cacert.org/FAQ/ImportRootCert )
