How do I install the CAcert source?
Quick and dirty
Developers looking into playing with the source code can follow this guide on how to install the source (please also add stuff you find to this guide!)
Also, you have to realize that you are entering unknown land here, so if something does not work, try to find it out yourself or ask on IRC...
first download the source
- Create the directory /www
- Extract it to the /www directory, so that you have /www/www/index.php
- Set up an apache virtual host for this (cacert-dev.example.org)
- Point the document root to `path-to-source/www'
Enable AllowOverride All on the directory so the .htaccess is able to override the settings
- Change the path to the general.php in the .htaccess file
- Change the path to the source-root in include/general.php
- Copy include/mysql.php.sample to include/mysql.php
- Create a database for cacert, a separate user
- fill the database using cacert.sql
- Change mysql.php at the top so cacert finds the path, change the vhost for the ssl and non-ssl hosts
Paths
Create the following dirs in your cacert-path:
- etc/ssl/
- crt/
- csr/
Make sure that crt/ and csr/ and read & writeable by your web-user.
Change the paths to your cacert-installation in scripts/*.c and run "make" afterwards to create the wrappers. I guess that the wrappers would be running setuid some-user (root?) in order to have access to the CA files, so the webserver does not need to have access to those.
I changed the runclient and runserver script to setuid & setgid to the user that created the CA and chowned them to "root:httpd" and chmodded them to 4750.
rg$ cat scripts/Makefile all: runserver.c runclient.c gcc -O2 -o runserver runserver.c gcc -O2 -o runclient runclient.c sudo chown root:httpd runserver runclient sudo chmod 4750 runserver runclient clean: rm -f runserver runclient rungpg test
Create your own CA
In order to fully test your installation you need to be able to create & sign & so on. For that you need your own CA. Change to your cacert path und run "CA.sh" that's been delivered together with openssl (on debian it was in /usr/lib/ssl/misc/). Fill in the values with sensible values and choose a passphrase. It seems that the devel scripts have the passphrase "test", so it may be the easiest to set it to the same value.
Create the config files for the actions
I "reverse-engineered" this files from my installation, as the original files as used by cacert are not available. It would be very helpful if those were included in the distribution!
Every action (sign email, sign orgemail, ...) has it's own config file in etc/ssl/. I copied my /usr/lib/ssl/openssl.cnf file to the target file, changed the path to my cacert-path ($path/demoCA/) and set the following values:
etc/ssl/openssl-client.cnf
[ policy_match ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ usr_cert ] nsCertType = client, email