| 10 | | == creating a personal certificate == |
| 11 | | |
| 12 | | The certificate authority is also used at the moment to sign certificates for individual users. If you would like a certificate for yourself to use within CAL, follow these instructions: |
| 13 | | |
| 14 | | === prerequisites === |
| 15 | | |
| 16 | | This assumes you are running a reasonable operating system which has [http://www.openssl.org/ openssl] installed. This probably does not include [http://www.microsoft.com/ Windows]. |
| 17 | | |
| 18 | | === download the setup script === |
| 19 | | |
| 20 | | The setup script is attached to this wiki page as [attachment:CALpkcs12?format=txt CALpkcs12]. it is a bash script, and should be made executable with `chmod u+x` |
| 21 | | |
| 22 | | === generating a private key and certificate request === |
| 23 | | |
| 24 | | Run the following command and provide reasonable answers to the questions it asks you: |
| 25 | | |
| 26 | | {{{ |
| 27 | | [dkg@squeak test]$ chmod u+x CALpkcs12 |
| 28 | | [dkg@squeak test]$ ./CALpkcs12 newkey |
| 29 | | Choose your preferred user name: [dkg] dkg |
| 30 | | Enter your current e-mail address: [dkg@localdomain] dkg@example.org |
| 31 | | Choose a passphrase: |
| 32 | | Confirm the passphrase: |
| 33 | | Generating a 2048 bit RSA private key |
| 34 | | ...................................+++ |
| 35 | | .........................................+++ |
| 36 | | writing new private key to '.CAL-key.pem' |
| 37 | | ----- |
| 38 | | trying to mail new certificate request to the CAL network admin <omitted here> |
| 39 | | Success! You may want to also mail the CAL network admin |
| 40 | | <omitted here> a brief followup e-mail about your new account |
| 41 | | registration. |
| 42 | | [dkg@squeak test]$ |
| 43 | | }}} |
| 44 | | |
| 45 | | So far, you've created a key and a certificate request. The system administrator still needs to provide you with a full-fledged certificate. Don't lose the files in this directory! |
| 46 | | |
| 47 | | === creating the PKCS12 from the generated certificate === |
| 48 | | |
| 49 | | After receiving and verifying your certificate request, the system administrator will send you a file called `CAL-cert.pem`. Save it in the same directory as your other certificates, and you can now run the following command: |
| 50 | | |
| 51 | | {{{ |
| 52 | | [dkg@squeak test]$ CALpkcs12 newcert |
| 53 | | Where is the downloaded certificate? [CAL-cert.pem] |
| 54 | | Enter your passphrase: |
| 55 | | Created pkcs12 certificate bundle in file CAL-cert.p12. You |
| 56 | | can now import this bundle into your favorite web browser. |
| 57 | | [dkg@squeak test]$ |
| 58 | | }}} |
| 59 | | |
| 60 | | You can throw away all of these files now, with the exception of `CAL-cert.p12`, which you will use to configure your client software. |
| 61 | | |
| 62 | | == Using the certificate in different clients == |
| 63 | | |
| 64 | | You'll probably want to use this certificate in different clients. For example, you will find it useful in your web browser. |
| 65 | | |
| 66 | | === configuring Mozilla === |
| 67 | | Under Mozilla, choose "Edit|Preferences", then select "Privacy and Security" in the left-hand pane, and choose "Certificates" from the sub-menu. |
| 68 | | |
| 69 | | Click "Manage Certificates", ensure that the "Your Certificates" tab is active, and choose "import". Point Mozilla at `cal-cert.p12`, and give it the password you gave in the "Export Password" step above. Mozilla should now know how to identify you to the server. |
| 70 | | |
| 71 | | === configuring Firefox === |
| 72 | | Under firefox, choose "Edit", "Preferences", then under "Advanced", expand the "Certificates" section. Click "Manage Certificates". Ensure that the "Your Certificates" tab is active, and choose "import". Point Firefox at `cal-cert.p12`, and give it the password you gave in the "Export Password" step above. Firefox should now know how to identify you to the server. |
| | 10 | You may also want to consider setting up a [wiki:"Personal Certificate"] |
