Bug 223347 (cacert)

Summary:	SSL Certificate requests (CACert)
Product:	Gentoo Infrastructure	Reporter:	Robin Johnson <robbat2>
Component:	Other web server issues	Assignee:	Gentoo Infrastructure <infra-bugs>
Status:	RESOLVED OBSOLETE
Severity:	normal	CC:	n-roeser
Priority:	High	Keywords:	Tracker
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	482870
Bug Blocks:
Attachments:	OpenSSL Req config file OpenSSL Req config file

Description Robin Johnson archtester

2008-05-23 14:09:17 UTC

This is a tracking bug for SSL certificate requests.

Please use the attached gentoo.cnf to generate your certificate requests, name them per the comment in the file, and then email them to cacert@gentoo.org AND leave a note on this bug with the filename you used.

Comment 1 Robin Johnson archtester

2008-05-23 14:09:49 UTC

Created attachment 154065 [details]
OpenSSL Req config file

Comment 2 Robin Johnson archtester

2008-05-23 14:23:48 UTC

Created attachment 154069 [details]
OpenSSL Req config file

Updated version with better instructions and defaults.

Comment 3 Robin Johnson archtester

2008-05-23 14:26:05 UTC

The present attachment is the latest gentoo.cnf file.
We need to decide on some suitable OU values to use still.
To date, on all public certificates, we've used 'Gentoo Infrastructure' for that field - if we want to change that, now is the time to do so.

# Current instructions, as of 2008/05/23:
# 1. download gentoo.cnf from bug #223347
# 2. export CNAME="FOOBAR.gentoo.org"
# 3. export NAME="$(date -u +%Y%m%d)_gentoo_${CNAME}"
# 4. openssl genrsa -out ${NAME}.key 1024
# 5. openssl req -config gentoo.cnf -text -out ${NAME}.csr -key ${NAME}.key -new
# 6. email ${CSR}.csr to cacert@gentoo.org, and leave a comment on bug #223347
#    with the name of the file.

Comment 4 Robin Johnson archtester

2008-05-23 14:29:26 UTC

Certificate public TODO list:
https bugs.gentoo.org
https forums.gentoo.org
imaps mail.gentoo.org
smtps mail.gentoo.org (incoming and outgoing)

Comment 5 Robin Johnson archtester

2008-05-25 03:16:06 UTC

Cert request for 20080525_gentoo_forums.gentoo.org.csr emailed.

Comment 6 Robin Johnson archtester

2008-05-25 04:38:02 UTC

Temporary cert for forums.gentoo.org issued. Has buggy emailAddress field due to minor issue @ CACert. I put the temp one online for now, and I'll refresh it to a final one after they fix their end.

Comment 7 Robin Johnson archtester

2008-05-25 21:28:34 UTC

Final cert for forums.g.o is online now. No more emailAddress field, and L has been corrected as well.

Comment 8 Robin Johnson archtester

2008-06-21 22:52:28 UTC

20080621_gentoo_bugs.gentoo.org.csr emailed.
20080621_gentoo_bugs.gentoo.org.crt completed.

Comment 9 Robin Johnson archtester

2009-05-20 01:09:01 UTC

20090519_gentoo_forumstest.gentoo.org.csr emailed.
20090519_gentoo_forumstest.gentoo.org.crt completed.

Comment 10 Robin Johnson archtester

2009-06-30 06:43:41 UTC

Emailed:
20090629_gentoo_dev.gentoo.org_imapd.csr.pem
20090629_gentoo_dev.gentoo.org_pop3d.csr.pem
Completed:
20090629_gentoo_dev.gentoo.org_imapd.crt.pem
20090629_gentoo_dev.gentoo.org_pop3d.crt.pem

Comment 11 Robin Johnson archtester

2009-08-03 21:51:24 UTC

Emailed:
20090803_gentoo_overlays.gentoo.org.csr.pem
Completed:
20090803_gentoo_overlays.gentoo.org.crt.pem

Comment 12 Matt Summers (RETIRED) gentoo-dev

2009-10-18 17:56:20 UTC

20091018_gentoo_hardenedwiki.gentoo.org.csr emailed

Comment 13 Matt Summers (RETIRED) gentoo-dev

2009-10-18 22:13:46 UTC

20091018_gentoo_hardenedwiki.gentoo.org.crt completed

Comment 14 Robin Johnson archtester

2010-05-25 20:49:53 UTC

Emailed:
20100525_gentoo_dev.gentoo.org-smtp-tls.csr.pem
Completed:
20100525_gentoo_dev.gentoo.org-smtp-tls.crt.pem

Comment 15 Robin Johnson archtester

2010-08-14 03:54:49 UTC

20100814_gentoo_dev.gentoo.org.csr emailed.

Comment 16 Robin Johnson archtester

2010-08-14 04:13:45 UTC

20100814_gentoo_dev.gentoo.org.csr completed.

Comment 17 Robin Johnson archtester

2010-12-02 07:11:09 UTC

New items processed:
20101202_gentoo_blogs.gentoo.org
20101202_gentoo_wiki.gentoo.org
20101202_gentoo_glsamaker2.gentoo.org
20101202_gentoo_recruiting.gentoo.org

There is now a script in the cfengine repo to help generate the config, key, csr, that also sends email as required by this tracking bug.

Comment 18 Robin Johnson archtester

2011-12-02 00:27:22 UTC

Comment on attachment 154069 [details]
OpenSSL Req config file

The prior instructions and config are now obsolete.

Current instructions, as of 2011/12/01:
1. Change to output directory.
2. /usr/local/sbin/generate-ssl DNS:foobar.gentoo.org DNS:foobar2.gentoo.org
3. Leave a comment on bug #223347 (this bug) about the request.

The generate-ssl script is in the cfengine repo, should be available on all hosts, and has a lot of detail if you pass --help now.

Comment 19 Robin Johnson archtester

2011-12-02 00:28:59 UTC

20111201_gentoo_dev.gentoo.org.csr emailed
        Subject: C=US, ST=New Mexico, L=Albuquerque, O=GENTOO Foundation, Inc., OU=dev.gentoo.org IMAP/POP3/SIEVE SSL, CN=dev.gentoo.org/emailAddress=cacert@gentoo.org
            X509v3 Subject Alternative Name:
                DNS:dev.gentoo.org, DNS:mail.gentoo.org, DNS:imap.gentoo.org, DNS:pop3.gentoo.org

Comment 20 Robin Johnson archtester

2011-12-02 00:43:07 UTC

20111201_gentoo_dev.gentoo.org.crt completed.
Pending CACert bug where slashes are being dropped:
http://bugs.cacert.org/view.php?id=995

Comment 21 Alex Legler (RETIRED) archtester

2014-04-26 12:00:16 UTC

This tracker seems to be no longer needed now that we've migrated off of CACert.