Rebuilding civilfritz TLS

Some random notes on when I rebuilt TLS for civilfritz using gnutls and cacert.

  • https
  • ldap start_tls

http://www.gnutls.org/manual/html_node/certtool-Invocation.html

certtool --generate-privkey --outfile civilfritz.net.key

certtool --generate-request --load-privkey civilfritz.net.key --outfile civilfritz.net.csr

https://www.cacert.org

vi civilfritz.net.pem

certtool --certificate-info < civilfritz.net.pem

Subject Alternative Name (not critical):
   DNSname: civilfritz.net
   XMPP Address: civilfritz.net
   DNSname: www.civilfritz.net
   XMPP Address: www.civilfritz.net

$ cat civilfritz.net.pem /etc/ssl/certs/cacert.org.pem | certtool --verify-chain
Certificate[0]: CN=civilfritz.net
    Issued by: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
    Verifying against certificate[1].
Error: Issuer's name: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
certtool: issuer name does not match the next certificate


$ cat civilfritz.net.pem cacert.org.pem | certtool --verify-chain
Certificate[0]: CN=civilfritz.net
    Issued by: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
    Verifying against certificate[1].
    Verification output: Verified.

Certificate[1]: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
    Issued by: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
    Verification output: Verified.

Chain verification output: Verified.