Personal Certificates

The CAL Certificate Authority can be used at the moment to sign certificates for individual users. If you would like a certificate for yourself to use within CAL, follow these instructions:

prerequisites

This assumes you are running a reasonable operating system which has openssl installed. This probably does not include Windows.

download the setup script

The setup script is available in the repository. it is a bash script, and should be made executable with chmod u+x

generating a private key and certificate request

Run the following command and provide reasonable answers to the questions it asks you:

[dkg@squeak test]$ chmod u+x CALpkcs12 
[dkg@squeak test]$ ./CALpkcs12 newkey
Choose your preferred user name: [dkg] dkg
Enter your current e-mail address: [dkg@localdomain] dkg@example.org
Choose a passphrase: 
Confirm the passphrase: 
Generating a 2048 bit RSA private key
...................................+++
.........................................+++
writing new private key to '.CAL-key.pem'
-----
trying to mail new certificate request to the CAL network admin <omitted here>
Success!  You may want to also mail the CAL network admin
<omitted here> a brief followup e-mail about your new account
registration.
[dkg@squeak test]$ 

So far, you've created a key and a certificate request. The system administrator still needs to provide you with a full-fledged certificate. Don't lose the files in this directory!

creating the PKCS12 from the generated certificate

After receiving and verifying your certificate request, the system administrator will send you a file called CAL-cert.pem. Save it in the same directory as your other certificates, and you can now run the following command:

[dkg@squeak test]$ CALpkcs12 newcert
Where is the downloaded certificate? [CAL-cert.pem] 
Enter your passphrase: 
Created pkcs12 certificate bundle in file CAL-cert.p12.  You
can now import this bundle into your favorite web browser.
[dkg@squeak test]$

You can throw away all of these files now, with the exception of CAL-cert.p12, which you will use to configure your client software.

Using the certificate in different clients

You'll probably want to use this certificate in different clients. For example, you will find it useful in your web browser.

configuring Mozilla

Under Mozilla, choose "Edit|Preferences", then select "Privacy and Security" in the left-hand pane, and choose "Certificates" from the sub-menu.

Click "Manage Certificates", ensure that the "Your Certificates" tab is active, and choose "import". Point Mozilla at cal-cert.p12, and give it the password you gave in the "Export Password" step above. Mozilla should now know how to identify you to the server.

configuring Firefox

Under firefox, choose "Edit", "Preferences", then under "Advanced", expand the "Certificates" section. Click "Manage Certificates". Ensure that the "Your Certificates" tab is active, and choose "import". Point Firefox at cal-cert.p12, and give it the password you gave in the "Export Password" step above. Firefox should now know how to identify you to the server.