Rebuilding civilfritz TLS
Some random notes on when I rebuilt TLS for civilfritz using gnutls and cacert.
https
ldap start_tls
http://www.gnutls.org/manual/html_node/certtool-Invocation.html
certtool --generate-privkey --outfile civilfritz.net.key certtool --generate-request --load-privkey civilfritz.net.key --outfile civilfritz.net.csr
vi civilfritz.net.pem
certtool --certificate-info < civilfritz.net.pem
Subject Alternative Name (not critical):
DNSname: civilfritz.net
XMPP Address: civilfritz.net
DNSname: www.civilfritz.net
XMPP Address: www.civilfritz.net
$ cat civilfritz.net.pem /etc/ssl/certs/cacert.org.pem | certtool --verify-chain
Certificate[0]: CN=civilfritz.net
Issued by: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
Verifying against certificate[1].
Error: Issuer's name: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
certtool: issuer name does not match the next certificate
$ cat civilfritz.net.pem cacert.org.pem | certtool --verify-chain
Certificate[0]: CN=civilfritz.net
Issued by: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
Verifying against certificate[1].
Verification output: Verified.
Certificate[1]: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
Issued by: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
Verification output: Verified.
Chain verification output: Verified.