(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
== Fedora Certificate == | |||
<pre> | |||
$ fedora-cert --new-cert --username=parasensse | |||
</pre> | |||
<pre> | |||
$ fedora-cert --verify | |||
Verifying Certificate | |||
cert expires: 2014-11-10 | |||
CRL Checking not implemented yet | |||
</pre> | |||
NOTE: CRL means "Certificate Revocation List", and involves verifying not just the certificate, but the chain of trust. Basically to check if any certificate in the chain of trust has been marked invalid via a CRL data. | |||
Another way to check the Fedora certificate is directly with OpenSSL | |||
<pre> | |||
$ openssl verify -verbose -CAfile ~/.fedora-server-ca.cert ~/.fedora.cert | |||
/home/jdisnard/.fedora.cert: OK | |||
</pre> | |||
Fedora certificates exist in the home directory: | |||
<pre> | |||
</pre> | |||
== signing notes == | == signing notes == | ||
<pre> | <pre> | ||
Line 67: | Line 105: | ||
NOTE: If you are curious, you could do the above directly | NOTE: If you are curious, you could do the above directly | ||
<pre> | <pre> | ||
$ grep "Not After" .fedora.cert | $ grep "Not After" ~/.fedora.cert | ||
Not After : Nov 10 15:31:45 2014 GMT | Not After : Nov 10 15:31:45 2014 GMT | ||
</pre> | </pre> |
Latest revision as of 21:42, 27 July 2014
Fedora Certificate
$ fedora-cert --new-cert --username=parasensse
$ fedora-cert --verify Verifying Certificate cert expires: 2014-11-10 CRL Checking not implemented yet
NOTE: CRL means "Certificate Revocation List", and involves verifying not just the certificate, but the chain of trust. Basically to check if any certificate in the chain of trust has been marked invalid via a CRL data.
Another way to check the Fedora certificate is directly with OpenSSL
$ openssl verify -verbose -CAfile ~/.fedora-server-ca.cert ~/.fedora.cert /home/jdisnard/.fedora.cert: OK
Fedora certificates exist in the home directory:
signing notes
$ sigul --help-commands delete-key Delete a key modify-key-user Modify user's key access list-users List users grant-key-access Grant key access to a user sign-text Output a cleartext signature of a text import-key Import a key new-user Add a user sign-rpm Sign a RPM list-keys List keys sign-data Create a detached signature revoke-key-access Revoke key acess from a user user-info Show information about a user change-passphrase Change key passphrase list-key-users List users that can access a key new-key Add a key modify-user Modify a user sign-rpms Sign one or more RPMs modify-key Modify a key delete-user Delete a user key-user-info Show information about user's key access get-public-key Output public part of the key
- Adding passphrase to signing key.
NSS_HASH_ALG_SUPPORT=+MD5 sigul --verbose --user-name=parasense change-passphrase epel-7
- Inspecting the NSS database with certutil
More info about certutil can be found here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil
- start by displaying the certificate nicknames, which comes in handy later:
$ certutil -L -d ~/.sigul Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI fedora-ca CT,, sigul-client-cert u,u,u
The "fedora-ca" is fedora packager cert. The "sigul-client-cert" is the relevant signing certificate. These two certificates combined allow for the delegation of package signing tasks to trusted persons.
NOTE: the fedora-ca is based on your packager cert, which is itself stored in the home directory:
$ fedora-cert --verify Verifying Certificate cert expires: 2014-11-10 CRL Checking not implemented yet
NOTE: If you are curious, you could do the above directly
$ grep "Not After" ~/.fedora.cert Not After : Nov 10 15:31:45 2014 GMT
$ certutil -K -d ~/.sigul certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa ... <REDACTED> ... sigul-client-cert < 1> rsa ... <REDACTED> ... sigul-client-cert certutil -O -n sigul-client-cert -d ~/.sigul "fedora-ca" [E=admin@fedoraproject.org,CN=Fedora Project CA,OU=Fedora Project CA,O=Fedora Project,L=Raleigh,ST=North Carolina,C=US] "sigul-client-cert" [E=jdisnard@gmail.com,CN=parasense,OU=Fedora User Cert,O=Fedora Project,ST=North Carolina,C=US]