NOTE: Federation is disabled on this instance!You can test federation between the following instances:
Mirror of the Rel4tion website/wiki source, view at <http://rel4tion.org>
This guide explains how to tell your computer to recognize and trust a Certificate Authority. This is required in order to establish secure connections over the internet. Many web services and websites use centralized CAs for this, and your computer already trusts many many such CAs and all their signatures without asking you. Some websites are against this, so you’ll need to add their CAs manually. Don’t worry, it’s very easy.
From now on, “web service” and “website” refer to web services and websites which use independent CAs, and offer you a way to add them manually.
There are two ways to do this. If the web service uses Monkeysphere, all you need to do is sign its PGP key. If not, you’ll need to install the CA certificate manually. Both are quite simple, although Monkeysphere requires some basic initial setup.
At the moment, most software doesn’t yet support Monkeysphere, so you can do both: Take the Monkeysphere path for software which does, and add the certificate manually for software which doesn’t. Actually, this may cause Monkeysphere to not be used for those services, because it is not needed when the CA is already trusted through the installation method. However, with time, you’ll be visiting Monkeysphere-supporting websites and browsing them securely without even noticing Monkeysphere takes care of this in the background.
See the [Monkeysphere] user guide. [[TODO|TODO/OPEN]] write one
First, download the certificate. It’s usually a text file with a CRT or PEM extension. Hopefully the web service makes it easy for you to find and download.
Now you need to verify it. To be precise, you don’t have to, but if you don’t there a risk (maybe a small one, but still a risk, technically) you downloaded a fake certificate. The only way to be sure is to use the computer to help you verify it.
The web service should explain how. One way is to download a PGP signature of the certificate and test its validity. In any case, the web service should provide instructions. Just in case, here’s an example:
$ wget --no-verbose http://www.example.null/example-ca.crt 2014-07-14 10:07:13 URL:http://www.example.null/example-ca.crt [2667/2667] -> "example-ca.crt"  $ wget --no-verbose http://www.example.null/example-ca.crt.sig 2014-07-14 10:07:13 URL:http://www.example.null/example-ca.crt.sig [287/287] -> "example-ca.crt.sig"  $ gpg --verify example-ca.crt.sig example-ca.crt gpg: Signature made IDT 09:29:10 2014 Jul 14 Mon using RSA key ID 937A67EF gpg: Good signature from "John Doe <firstname.lastname@example.org>" gpg: aka "[jpeg image of size 4232]" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
If your don’t PGP-trust they administrator’s key, this warning is expected. If the web service doesn’t expect you to trust it, it may provide a key fingerprint which you should compare to the one you will get locally. Take the “key ID” from the output you got (in the example above it’s 937A67EF) and run:
gpg --recv-keys 937A67EF gpg --fingerprint 937A67EF
You’ll see the fingerprint in the output.
Finally, if it’s valid, install it.
$ su # cp /home/joe/Downloads/example-ca.crt /usr/local/share/ca-certificates # update-ca-certificates
You will see output like this:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Adding debian:example-ca.pem done.
The permissions look like this:
# ls -l /usr/local/share/ca-certificates -rw-r--r-- 1 root staff 2667 Jul 13 11:43 example-ca.crt
As mentioned above, some programs have their own certificate lists, and ignore the system list. Maybe it helps them be portable and independent, but it hurts integration and ease of use. Here are some examples. It should work in a similar manner for other applications.