Systems - CAcert Testserver

Hardware

test.cacert.org

The "old" testserver. Nevertheless it currently is considered to be the more important reference system because its intallation is more complete and "closer" to the production server.

More details at SystemAdministration/Systems/Test.

test3.cacert.org

test3 is a new (probably temporary) virtual machine, primarily to test the migration to PHP 7. Mangels verfügbarer IPv4-Adressen müssen alternative Ports verwendet werden:

ToDo: TestMgr für test3???

Setup

Root certificate

The testserver environment uses its own root and intermediate certificate, of course. Traditionally the server certificates for test servers (and test managers where applicable) are issued by the test roots themselves. Please do not import/trust the test roots in software/browsers that are also used for the "real world"!.

It is prefeerred that you use a different account or browser profile for testing. If this is not possible or practicable, security exceptions are the method of choice. Of course the latter have to be updated regularly when new certificates for the servers are issued.

Traditionally the CA databases ("index.txt") are re-used even after a change of the root certificate(s). On occasions the next issued serial number ("serial") has been increased, probably to test longer serial numbers.

Root Content/Constraints

Class 3 Content/Constraints

Most things are identically to the root certificate, so only the differences are noted here.

ToBeContinued...

Experience from 2021 when creating a new root certificate set

The certificates were created using the attached script NewTestserverRoots, with the two configuration files testserver-root.cnf and testserver-class3.cnf. The tempCA subdirectory did contain a copy of the "database files" (index.txt, index.txt.attr and serial) from the /etc/ssl/CA directory. The copy was used for experimenting, after the "real" run the created (and modified!) files were copied back to /etc/ssl/CA manually.

The created class 3 root was manually renamed and then copied to /etc/ssl/class3/.

Other things to do:

Signer Environment

server.pl

The signer's job is to sign certificates and similar things, like CRLs. The private keys for the root certificates are stored on the signer machine only.

In the production environment the signer machine is a different computer which is not connected to any LAN type network2. It is connected with a USB serial connection to the main webserver machine. On this serial line a special protocol is run so the webserver can send signing requests to the signer, to which the signer replies by sending the created certificates.

In the test environment the signer machine normally is emulated as a different process which communicates with the webserver part using pipes3.

The signer process runs in its own directory, located at /home/signer. The signer script itself is located at /home/signer/cacert-devel/CommModule/server.pl. It accesses the OpenSSL configuration files from /etc/ssl/

In the configuration file for the root certificate, the directory /etc/ssl/CA is used for the CA's data (including the private key), and /etc/ssl/class3 for the intermediate root. (ToDo: What is the class3s configuration which points at /etc/ssl/class3s? This directory is not present on the testserver...)

client.pl

client.pl runs in its own process in background and handles the following jobs:

Anything missing?

If client.pl is modified the background process must be restarted before the changes become active. Look for a process  /usr/bin/perl -w /home/cacert/www/CommModule/client.pl  and kill it. It should be immediately be restarted by the deamon  /home/cacert/www/CommModule/commdaemon .

Footnotes

  1. ToDo: In which situations is the serial number of the root certificate important/critical? (1)

  2. At least that's the status mid of 2021 (2)

  3. More details are required here! (3)

  4. ... and uploaded CSR files ... (4)


Software/Assessment/testserver (last edited 2022-03-25 22:22:03 by BernhardFröhlich)