TLDR: Import the CA.
[sig], GPG [key] and [policy] for the paranoid.
Rhizogenes uses TLS certificates for the various services it hosts :
Those certificates expire every year (365 days). Each of them is valid for all the aliases of the service it's used on (for example, smtp.rhizogen.es.eu.org is also valid for mail.rhizogen.es.eu.org and mx.rhizogen.es.eu.org, as well as the server's IP addresses).
Each service also has a TLSA record containing the hash of the certificate. So, if your client supports DANE, it will recognise the certificate without any additional effort.
Otherwise, you can import the certificates manually one by one, but it's easier to directly import the certificate authority :
03:57:7D:7D:E5:42:39:6F:E9:3B:78:A0:15:6B:3D:F2:DF:2E:03:59
8C:07:4E:B5:C7:BD:3C:7D:6B:A7:D8:D5:D4:F6:15:79:47:85:35:D6:4E:7C:8B:A2:FD:BB:D7:8D:94:7F:57:19
The Certificate Authority expires every 5 years (1825 days).
Most UNIX systems store the TLS certificates in the OPENSSLDIR path given by the command openssl version -d
(often /etc/ssl/certs/
). In my case it's:
$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
and here /usr/lib/ssl/certs
is a link to /etc/ssl/certs
.
On Debian GNU/Linux the certificates added by the user are placed in /usr/local/share/ca-certificates/
and added to /etc/ssl/certs
via the command update-ca-certificates
:
# wget http://www.rhizogen.es.eu.org/pubkeys/rhizogen.es.eu.org/tls/onalyrg_ca.crt
# cp onalyrg_ca.crt /usr/local/share/ca-certificates/
# update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
Here I'm doing it with the root user but any user of the group staff
can do it.
Some programs like those originating from Mozilla (Firefox, Thunderbird, Seamonkey...) don't respect this standard and store certificates in their own database. In this case you just need to download the certificate and open it/import it with the program in question (with a browser, you can directly click on the link), and then follow the instructions (in the case of Firefox/Thunderbird/... you'll need to check some boxes).
You can verify the authenticity of the certificate using the figerprints given above, via the import tool or using the command line:
$ openssl x509 -in certs/onalyrg_ca.crt -noout -fingerprint
SHA1 Fingerprint=03:57:7D:7D:E5:42:39:6F:E9:3B:78:A0:15:6B:3D:F2:DF:2E:03:59
$ openssl x509 -in certs/onalyrg_ca.crt -noout -fingerprint -sha256
SHA256 Fingerprint=8C:07:4E:B5:C7:BD:3C:7D:6B:A7:D8:D5:D4:F6:15:79:47:85:35:D6:4E:7C:8B:A2:FD:BB:D7:8D:94:7F:57:19
If you're paranoid, you can verify the signature from the server's administrator with gnupg
. Download the signature and the GPG key:
$ wget http://www.rhizogen.es.eu.org/pubkeys/rhizogen.es.eu.org/tls/onalyrg_ca.crt.sig
$ gpg --recv-keys 037B4BDB8ADC2B2F
(alternatively, you can use the one on the server:
$ gpg --fetch-keys http://www.rhizogen.es.eu.org/pubkeys/rhizogen.es.eu.org/gpg/onalyrg.gpg
)
Verify the signature (example output):
$ gpg --verify onalyrg_ca.crt.sig
gpg: assuming signed data in 'onalyrg_ca.crt'
gpg: Signature made Sun May 10 20:38:35 2020 -03
gpg: using RSA key 475124AD280B6C4A7A3240DFC5D2708CDF29B4D1
gpg: issuer "onalyrg@rhizogen.es.eu.org"
gpg: Good signature from "Bro Onalyrg <onalyrg@rhizogen.es.eu.org>" [ultimate]
gpg: aka "Bro Onalyrg <onalyrg@rhizogen.es>" [ultimate]
Primary key fingerprint: 8122 1D6F 6FC8 4601 6284 E8B8 037B 4BDB 8ADC 2B2F
Subkey fingerprint: 4751 24AD 280B 6C4A 7A32 40DF C5D2 708C DF29 B4D1
Every content hosted on Rhizogenes is Free As In Freedom. Original content is under WTFPLv2 unless specified otherwise. Non-original content is under their respective licenses, which should be specified every time. There are no Terms Of Service.