Digitally "Signing" NOVA Web's Operating Agreement
The cooperators at NOVA Web Development are in the process of amending their Operating Agreement and adding two new members to it. As an international cooperative dedicated to software freedom, we have presented ourselves the challenge of enabling our six members to digitally "sign" the agreement from our locations across the globe using only free software.
It turns out doing this with free software is no easy task. This post will document the approach at which we finally arrived.
Some Useful Definitions
At first glance the idea seems simple enough, to find a way to "sign" a document electronically. What does it mean to "sign" a document? Wikipedia defines a signature as a mark made by a signer on a document to establish "proof of identity and intent".
A digital signature will need to be done with bits instead of pen and ink. It needs to provide a way for a person to imprint some bits on a document (which is just another bunch of bits) to verify their identity and intent. The Wikipedia article on electronic signatures tells us this problem ("signing" using remote, electronic means) goes back to the latter part of the 19th century and the telegraph.
For our purposes as a cooperative business registered in the United States, we should try to follow NIST, the relevant one in this case being the Digital Signature Standard. We're a small IT shop with limited resources, so we don't plan to incur any legal fees in this effort. Instead, we will come up with some reasonable process and rely on the trust and collaboration at the root of cooperativism to hopefully keep us out of trouble.
- Private Key
- The part of the public-private key pair in public-key cryptography which is known only to the holder.
- RSA Private Key
- A private key using the RSA cryptosystem.
- RSA Signing Certificate
- An RSA public key together with data about the signing organization.
- Certificate Signing Request
- A public key generated by a user to request authorization from a certificate authority.
Here is what we plan to do:
- Generate a self-signed X.509 public key certificate for NOVA Web Development.
- Each of our six members will generate their own RSA private key, from which, they will generates an X.509 certificate signing request, which will be sent to the cooperative's central authority.
- NOVA Web Development will sign the CSR, creating a certificate, which will then be sent back to the member who sent the CSR.
- The member will combine their private key and certificate into a pkcs12 file.
- They will import this into Firefox and use it to sign the operating agreement.
Starting at the NOVA Web Development Office
Generate a NOVA Web Development x.509 private key for NOVA Web Development:
$ openssl genrsa -rand /dev/urandom -out novawebdevelopment.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ......................+++++ ............................................................................+++++ e is 65537 (0x010001) $
The file novawebdevelopment.key now contains our organizational private key. This private key will be used to create a certificate in the next step. This private key should then be stored on our FIDO2 security, which I purchased from SoloKeys. The public key can be generated from this private key using the RSA algorithm with 65537 as the value of e.
Generate a signing certificate for NOVA Web Development:
$ openssl req -new -x509 -days 2191 -key novawebdevelopment.key -out novawebdevelopmentcert2020.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Virginia Locality Name (eg, city) :Arlington Organization Name (eg, company) [Internet Widgits Pty Ltd]:NOVA Web Development, LLC Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :NOVA Web Development Org Cert Email Address :firstname.lastname@example.org
This created novawebdevelopmentcert2020.pem, with our X.509 public key together with information about our organization which we will use to sign the certificate signing requests (CSR) which each of our members will generate. The -days 2191 sets the certificate to expire in 6 years (365 * 6 days + 1 leap day in 2024).
Import the NOVA Web org cert into Firefox.
Select View Certificates from Preferences
Select Authorities tab and click Import
Select org pem file
Check the trust the cert checkboxes
See the cert in the list
Members Personal Keys and Certificate Signing Requests
Each member of NOVA Web Development who is signing the operating agreement needs to do the following.
Create an x509 Private Key:
$ openssl genrsa -rand /dev/urandom -out jelkner.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..........................................................+++++ ....................+++++ e is 65537 (0x010001)
Generate a CSR to send to the NOVA Web Development office:
$ openssl req -new -key jelkner.key -out jelkner.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Virginia Locality Name (eg, city) :Arlington Organization Name (eg, company) [Internet Widgits Pty Ltd]:NOVA Web Development Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :Jeffrey Elkner Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :NOVA Web Development
Send the CSR file to the NOVA Web Development office.
Back at the NOVA Web Development Office
Receive the CSR and generate a signing certificate from it:
$ openssl x509 -req -in jelkner.csr -CA novawebdevelopmentcert2020.pem -CAkey novawebdevelopment.key -CAcreateserial -out jelkner.crt -days 730 Signature ok subject=C = US, ST = Virginia, L = Arlington, O = NOVA Web Development, CN = Jeffrey Elkner, emailAddress = firstname.lastname@example.org Getting CA Private Key
Send the CSR to the member.
Back again at the member's location
Use this signing certificate and your private key to create a PKCS 12 file:
$ openssl pkcs12 -export -out jelkner.p12 -inkey jelkner.key -in jelkner.crt Enter Export Password: Verifying - Enter Export Password:
Import your PKCS 12 file into Firefox.
Select "Your Certificates" tab from "View Certificates".
Select the p12 file you generated in step 1.
Type the password you picked when you created the p12 file.