Saturday, July 12, 2014

5.5 amd64 X200: Alpine S/MIME, finally managed to sign with CACert.

Hi,

I finally managed to get my Alpine to sign outgoing emails with Digital Certs from CACert.org, "community-driven Certificate Authority that issues certificates to the public at large for free."

If you're using Thunderbird, setting up Digital Signature is quite easy, just a matter of getting your personal Digital ID and importing it in Thunderbird. There's a few steps in detail but it's just a matter of a bit of adventure in the Thunderbird's Option window.

But if you're like me, who uses Alpine and would like to have the ability to sign with Digital Signature, there's quite a challenge. I've been stuck with this for some time, but as it's not a super-urgent thing, I took my time to solve this. So here I'm posting the steps needed to get my Alpine to sign my email with Digital Cert attained from CACert.org.

1) Register with CACert.org and create a personal Digital Cert.
This step is self-explanatory, go to http://www.cacert.org, register your own account and create your personal Digital Certificate. I don't want to pay for Digital Certificate offered by more trustworthy company so this is a great option for me.

2) Download the Digital Certificate from CACert.org and import in Firefox.
Ok for this, you will need to have Firefox. After you downloaded your Digital Certificate, you will need to open up Firefox, and in Edit > Preferences > Advanced > Certificates > View Certificates > Your Certificates, click on the Import button and import your Digital Cert.

3) Backup Digital Cert from Firefox in PKCS12 format.
From Edit > Preferences > Advanced > Certificates > View Certificates > Your Certificates, choose the Digital Cert you want to use and then click the Backup button. You will need to create a password for it. Remember to save it at pkcs12 format. For example, save it as karl@mail.com.p12.

4) Create PEM format from the PKCS12 file.
Open your xterm, and create a PEM file from the PKCS12 (*.p12) file you just backed up.

$ openssl pkcs12 -in karl@mail.com.p12 -out karl.@mail.com.pem

Now the newly created karl@mail.com.pem file can be edited with vi or any text editor you use.

5) Create CRT and KEY file for Alpine use.
Some people suggested to use openssl to create CRT and KEY file. I didn't managed to do this successfully using the openssl method, and the result is that my Alpine gave out "Couldn't find the certificate needed to sign." prompt when I try to sign my outgoing emails. So I went with the manual way.

Remember that the PEM format is plain text and editable? So I vi the karl@mail.com.pem file. I can see there's 3 section there. The top part is something like this:

Bag Attributes
    *snipped*
-----BEGIN ENCRYPTED PRIVATE KEY-----
*blablabla*

That top portion is the private key. Delete everything before the:

-----BEGIN ENCRYPTED PRIVATE KEY-----

and delete everything after the:

-----END ENCRYPTED PRIVATE KEY-----

then save it to something as karl@mail.com.key. Remember, this is your private key. And don't overwrite the original file you've edited.

Open the karl@mail.com.pem file again. You would see the just below the private key portion, there's something like:

Bag Attributes
    friendlyName: CAcert.org Class 1 Certification Authority
    *snipped*
-----BEGIN CERTIFICATE-----

Now this is you Certificate Issuer portion. I edited the file and deleted everything before the immediate:

-----BEGIN CERTIFICATE-----

and deleted everything after the immediate:

-----END CERTIFICATE-----

then save the file as cacert.org.crt. Do take note that this file could be named as anything but make sure the filename ends with ".crt".

Open the PEM file again, and the 3rd portion is you public key. The "Bag Attributes" details should contain your email address you created the Digital Cert with. So I deleted everything before the:

-----BEGIN CERTIFICATE-----

then save the file to something as karl@mail.com.crt.

6) Setup Alpine to use the karl@mail.com.key Digital Cert.
By default, Alpine needs ~/.alpine-smime directory to store the Digital Certs. But in my case, it didn't exits. So I mkdir these directories:

~/.alpine-smime/ca
~/.alpine-smime/public
~/.alpine-smime/private

Then move all your *crt & *.key files to the correct directory such as:

~/.alpine-smime/ca/cacert.org.crt
~/.alpine-smime/public/karl@mail.com.crt
~/.alpine-smime/private/karl@mail.com.key

That should be it. In Alpine, I use Roles so the From address is the same as my Digital Cert so Alpine can Digitally sign the email composed. So far signing email is ok but I haven't tested the encryption. Later.

References.
- http://www.cacert.org
- http://comments.gmane.org/gmane.mail.alpine.info/4969
- Roles in Alpine
- Alpine S/MIME - http://patches.freeiz.com/alpine/alpine-info/misc/smime.html

No comments:

6.5 amd64: Modify existing certbot certificates.

Hi, It's been quite some time eh. As you can see, I still upgrade my OpenBSD system regularly but currently I do not have the time to ...