Skip to Content.
Sympa Menu

cacert-devel - Re: Automating Certificate Renewal

Subject: CAcert Code Development list.

List archive

Re: Automating Certificate Renewal


Chronological Thread 
  • From: Bernhard Fröhlich <bernhard AT cacert.org>
  • To: Jason Curl <jcurl AT arcor.de>
  • Cc: cacert-devel AT lists.cacert.org
  • Subject: Re: Automating Certificate Renewal
  • Date: Tue, 27 Sep 2011 22:48:08 +0200
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
Am 27.09.2011 21:10, schrieb Jason Curl:

Hi Bernhard,

 

Dropping the support list. I had a quick look and it looks a little lacking. Is providing the password in the URL really secure? I don’t know quite enough about SSL to know if the URL is secure – I assume it isn’t.


If using SSL the url is as secure as anything else transferred on the secure channel. Exactly the same as the normal login dialog.

Of course we should also support authorisation by client certificate, and it's not hard to implement, but still a bit of work.

 

I can speak to a colleague of mine at work (he’s working on wdye.osm-tools.org), and he should have a couple of good ideas (he’s also a CAcert member). Hopefully he could give some tips on a useful API. But I’m no web programmer, just embedded and some moderate stuff on Windows.

 

To emulate completely the certificate generation, as well as the renewal.

 

Also, I’m confused by the discussion that the private key is required by CAcert. I disagree with this and would expect that CAcert only requires signing of the public key (if the pub key doesn’t match with the private key, then the certificate is useless), or what is your opinion. I really do not want to submit the private key at all, else everything can be handled by the backend.


Of course CAcert does not need the private key, but a "certificate signing request" (CSR) is required. This CSR contains the _public_ key of the user, plus some other information that may be included in the certificate.

And, BTW, this interface can handle "certificate generation" as well as "renewal", since renewal just uses the same CSR as initial issuing to create a new certificate which is then called a "renewed certificate". :-)

Ted
;)

 

Thanks & Best Regards,

Jason.

 

From: Bernhard Fröhlich [mailto:bernhard AT cacert.org]
Sent: Monday, September 26, 2011 09:43
To: Jason Curl
Cc: cacert-support AT lists.cacert.org; CAcert Code Development list.
Subject: Re: Automating Certificate Renewal

 

Hi Jason,

we should take this discussion over to the development mailing list, since this is probably a development issue and support cannot do much about it.

There are some ancient issues in the bugtracker, for example https://bugs.cacert.org/view.php?id=444, as well as a Wiki page at http://wiki.cacert.org/CertApi, but my guess is that the existing API covers only very basic functionality.

But maybe the API can be adjusted/extended easily. If you could just have a look at the Wiki page, maybe you can tell us if this can be a starting point for your ideas.

Kind regards
Ted
;)


Attachment: smime.p7s
Description: S/MIME Kryptografische Unterschrift


Archive powered by MHonArc 2.6.16.

Top of Page