Author: Daniel Rubio
Security certificates are digital files deployed by software used to broker information across applications — generally a Web server or an email suite. As with other security-driven products, a certificate must have a central authority or trusted party to vouch for its validity. It is this role which was been fulfilled by commercial entities until of late.
The cost for some mainstream certificates providers has remained exceptionally high — some exceeding $800 dollars for a one-year certificate. This pricing reflects added-value services such as liability coverage and auditing, and not everyone requires this level of service or has the budget to cover it.
It is this price-sensitive market for security certificate that CAcert intends to cover. CAcert currently offers three types of certificates: one for client-side/email applications, another for server-side deployments, and a third for digitally signing distributable applications such as installers. The first two come in two flavors: unassured, which is the default issuing status, and an assured mode, which implies you have verified your identity with CACert. Although all three are used to a certain extent among IT shops, the most ubiquitous of the three are the server-side certificates, since they are a vital part in facilitating access to secure Web pages accessed via Secure Socket Layer (SSL) communication between a browser and a Web server, a process which is more common than digitally signing email or code.
How can you obtain and use a CAcert certificate? Let’s walk through the process for server-side certificates.
The first step in obtaining a CAcert server-side certificate is to create a Certificate Signing Request (CSR). This process is identical to that of acquiring a certificate from a commercial vendor. A CSR contains information regarding the Web site which the SSL certificate will be deployed onto, as well as other company information such as address and country of operation. The actual creation process for the CSR varies depending on the server which you will using. For example, IIS from Microsoft and some Java applications servers such as BEA’s offer wizards for creating the CSR, but in other cases you may need to use a tool like OpenSSL to create the CSR, which offers a platform-independent manner for creating it.
Once you have the CSR in a file, you can create a CAcert account and submit the information to CAcert. It will send you a signed certificate (.cer file) which you can place onto your server-side environment. Where you place it depends upon your server software; consult your platform documentation.
CAcert’s process of signing your certificate is the same one done by commercial vendors, but it’s free of charge. This non-payment, however, has some disadvantages.
Browsers, which are the main brokers of information between an end-user and the actual Web servers, ship with a bundled default list of certificate authorities. When a user visits an SSL-enabled site, his browser consults the signed certificate and verifies that it was issued by a known certificate authority. If the certificate was not issued by any of these authorities, the user receives a warning, which can worry layman users.
CAcert is not included as a certificate authority in browser distributions. There is talk of including CAcert in Firefox/Mozilla, and talks with commercial browsers are also in the works, but for now the only manner in which to avoid CAcert’s lack of certificate authority warning is to manually add it onto each user browser — an impractical solution if the target audience is users in the wider Internet.
Even though this is a major obstacle to using CAcert certificates, CAcert has established clout, having issued more than 22,000 certificates in 2004, and perhaps more importantly, created a web of trust which grant it a more formal structure. Worldwide it has close to 1,000 assurers, which provide its backbone for a point-based system of trust, used in the creation of longer-term certificates.
By visiting a CAcert assurer in your city and identifying yourself through a government-issued I.D as the owner of a certificate, you are granted points which count toward greater privileges — such as becoming an assurer yourself — and the ability to extend your certificates’ life for longer terms, such as a 24-month certificate compared to one with a six-month duration for non-assured server-side certificates.
If you are looking into deploying a security-enabled area on your Web site or company-wide intranet, and prefer not to purchase a recurring commercial certificate year after year, then you should consider using a CAcert certificate. It offers the same security as its commercial counterparts, and is well on its way to gathering wider acceptance among mainstream vendors.
Daniel Rubio is the principal consultant at Osmosis Latina, a firm specializing in enterprise software development, training, and consulting based in Mexico.