The
Ultimate
Business Machine

Technology, business
and innovation.

And, not least, about
the Mac.

Weblog Archive Cutedge

by: Bernard Teo








Creative Commons License

Copyright © 2003-2012
Bernard Teo
Some Rights Reserved.

Sun 17 Jul 2005

Certificate Signing - Dead End

Category : Technology/chainOfTrust.txt

I'm going to wrap up my exploration of digital certificate signing, at least for a while until I get better ideas, but this is why I think I've hit a dead end.

According to the man page on the OpenSSL verify command, which is used to verify that a cert is OK all the way up its trust chain, one of the checks it does is to make sure that the issuer of a cert is actually allowed to sign certs :

... in addition the keyUsage extension of the candidate issuer (if present) must permit certificate signing ...

So, the freessl cert that I bought, which I was hoping will allow me to sign certs in turn for Hai Hwee, Bee Khim, Brendan, etc..., does not include cert signing among its allowed uses.

It has "Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment". But nothing like cert signing. (It takes less effort to set it to "all", like freessl's own root cert).

So I think it's not the technology. We've got everything there in OS X, under the OpenSSL umbrella of commands, to do it - , i.e., sign certs as a valid intermediate Certification Authority, so long as we have a valid cert that will allow us to establish that "chain of trust". Whatever limitations now are man-made.

This is what irks me about the whole SSL, digital certs thing. It does use some relatively esoteric Unix incantations but it's all clearly understandable. The first time I bought a Verisign cert, I was awed by all this PKI "our facility is protected by seven rings of security" thing. But you could do all this on your Mac.

We need digital signatures and message encryption more than we need these guys to insert themselves into the "Chain of Trust".

Posted at 9:01AM UTC | permalink

Airport Base Station Firmware Update Warning

Category : Technology/AEBSFirmwareUpdateWoes.txt

I've tried to connect my "old" Airport Extreme base station (the one that went PPoE dead after the firmware 5.6 update) to the broadband modem and again it fails to connect to PPoE. But it worked fine at Hai Hwee's house after a hard reset.

So now, I'm not sure if it has somehow acquired an incompatibility with the Efficient Speedstream 5250 ADSL modem or is it with Singnet itself. Hai Hwee's house is on PacNet, using an Aztech DSL 305E modem.

Anyway, this is a warning for Singapore-based users. Think twice before you do that 5.6 firmware update.

Posted at 8:29AM UTC | permalink

Thawte

Category : Technology/thawte.txt

Right after making that last post, I realised I forgot to mention Thawte. You can get a free cert for use with mail from Thawte, as did almost everyone who has ever sent me signed messages.

But the Thawte application is a tortuous process. After about ten pages, I get to the page to download my cert and hit a ".exe cannot be downloaded" error. Seems like you've got to use Mozilla download it but the page warns that you've got to use the same browser throughout the whole process. I remember vaguely that I've done this before. It's the .exe that shuts my brain.

There's got be a more Mac-like way.

There should be this democratisation of the process. Buy a cert for each company or organisation and then use it to vouch for the people in it, using tools like the Certificate Assistant.

Maybe Apple should get into this business and offer certs as part of the .Mac experience and tie it into the Certificate Assistant, because frankly, if I have to pay for a cert each year, it makes no difference whether I pay freessl or Apple, so it might as well go to Apple.

It looks like it's going to be a great Sunday. Time to get out.

Posted at 3:26AM UTC | permalink

WebMon, SSL, Mail, and Digital Certificates

Category : Technology/sslUpdates.txt

Just some updates about WebMon and SSL.

I'm almost done with the interface. I'm able to get WebMon to generate a certificate request (a CSR in SSL parlance) and display the block of text containing that CSR, so that the user can paste that into his application at one of the certification authorities.

I enjoyed the fluidity of the process at freessl.com, or rapidssl.com as they're now known, and I'm going to recommend it.

I just need to wrap it up by providing an interface for the user to paste the returned certificate, so that WebMon can copy that to the right location and restart the server.

I've been experimenting Apple's very excellent Certificate Assistant (that comes with Tiger's new Keychain Access application), but I think that serves a more mail client-centric need.

If you use WebMon's SSL-enabler, you should be able to set the web server up for SSL, and get the certs and keys stashed into all the right places in one fell swoop. Or at least that's what I hope I could do.

But, back to the Certificate Assistant. I think it's very well thought out. I've used something similar in Windows 2000 (I haven't thought about Windows in ages) but Apple's implementation is better.

"Better" because, if good design is about stripping things down to the barest minimum that the user needs to touch to get something done, then Certificate Assistant has succeeded in this respect.

I now know how the process works, both via Certificate Assistant, as well as manually via the OpenSSL commands. But I still haven't found the answer to the question : if I have a valid live SSL cert, can I use it to sign other certificates so that other mail clients don't complain when they receive mail from all of us here at cutedgesystems.com? (- because currently I could only use a self-signed cert, and that is not linked to the so-called "chain of trust" - unless I know how to bring the live cert into the equation).

Currently, Certificate Assistant works with self-signed certs. If I make myself a Certification Authority, I can't issue a cert for Hai Hwee, say, and link that all the way back to the root certificate used by freessl.com, even though I, as the sub-level Certification Authority, has a valid certificate from freessl.com.

I've been banging my head over this the last couple of days. Sending mail without signing and encrypting it is, like someone said, sending business information using postcards, for everyone to read who handles its delivery. We really need to get to this next stage of e-mail usage. And the process has got to be simpler and cheaper than it is now.

Posted at 1:57AM UTC | permalink

Airport 4.2 and Airport Base Station 5.6 Updates

Category : Technology/airport5dot6firmware.txt

I applied the Airport Base Station 5.6 Firmware Update and it stopped being able connect to the broadband modem. So for a couple of sessions over the weekend, we were off the air (or blogosphere) for about half an hour each.

If you're trying to get here and couldn't connect, that was the cause.

Fortunately I have a spare base station somewhere else. While I went to retrieve it, we were running the server directly off the broadband modem, and using the server's Airport card to share its connection with the other machines on our network.

And I was thinking about how things still work while we're getting flustered. At times like these, you can't think, you just want to get back up as quickly as possible. And thankfully, just three clicks later, we've got server's Airport card sharing its broadband connection to everybody else on the network. So our Disaster Recovery Standard Operating Procedure (SOP) works.

I'm now running the system off the spare base station. As for the "spoilt" one, we went over to Hai Hwee's house, did a hardware reset, and found that it worked again on her broadband connection. So I'm going to switch everything back, later today, at about three or four in the afternoon, when my server's at its quietest time of the day.

Posted at 12:59AM UTC | permalink

Mac@Work
Put your Mac to Work

Sivasothi.com? Now how would you do something like that?

Weblogs. Download and start a weblog of your own.

A Mac Business Toolbox
A survey of the possibilities

A Business Scenario
How we could use Macs in businesses

VPN Enabler for Mavericks

MailServe for Mavericks

DNS Enabler for Mavericks

DNS Agent for Mavericks

WebMon for Mavericks

Luca for Mavericks

Liya for Mountain Lion & Mavericks

Postfix Enabler for Tiger and Panther

Sendmail Enabler for Jaguar

Services running on this server, a Mac Mini running Mac OS X 10.9.2 Mavericks:

  • Apache 2 Web Server
  • Postfix Mail Server
  • Dovecot IMAP Server
  • Fetchmail
  • SpamBayes Spam Filter
  • Procmail
  • BIND DNS Server
  • DNS Agent
  • WebDAV Server
  • VPN Server
  • PHP-based weblog
  • MySQL database
  • PostgreSQL database

all set up using MailServe, WebMon, DNS Enabler, DNS Agent, VPN Enabler, Liya and our SQL installers, all on Mavericks.