Jelkner's
Weblog


About me

Blog Posts Blog Tags

2020 2019 2018 2017

Log in

Copyright © 2020
Jeffrey Elkner

Digitally "Signing" NOVA Web's Operating Agreement


/media/uploads/libreoffice_digisign.jpg

The cooperators at NOVA Web Development are in the process of amending their Operating Agreement and adding two new members to it. As an international cooperative dedicated to software freedom, we have presented ourselves the challenge of enabling our six members to digitally "sign" the agreement from our locations across the globe using only free software.

It turns out doing this with free software is no easy task. This post will document the approach at which we finally arrived.

Some Useful Definitions

At first glance the idea seems simple enough, to find a way to "sign" a document electronically. What does it mean to "sign" a document? Wikipedia defines a signature as a mark made by a signer on a document to establish "proof of identity and intent".

A digital signature will need to be done with bits instead of pen and ink. It needs to provide a way for a person to imprint some bits on a document (which is just another bunch of bits) to verify their identity and intent. The Wikipedia article on electronic signatures tells us this problem ("signing" using remote, electronic means) goes back to the latter part of the 19th century and the telegraph.

For our purposes as a cooperative business registered in the United States, we should try to follow NIST, the relevant one in this case being the Digital Signature Standard. We're a small IT shop with limited resources, so we don't plan to incur any legal fees in this effort. Instead, we will come up with some reasonable process and rely on the trust and collaboration at the root of cooperativism to hopefully keep us out of trouble.

Private Key
The part of the public-private key pair in public-key cryptography which is known only to the holder.
RSA Private Key
A private key using the RSA cryptosystem.
RSA Signing Certificate
An RSA public key together with data about the signing organization.
Certificate Signing Request
A public key generated by a user to request authorization from a certificate authority.

The Plan

Here is what we plan to do:

  1. Generate a self-signed X.509 public key certificate for NOVA Web Development.
  2. Each of our six members will generate their own RSA private key, from which, they will generates an X.509 certificate signing request, which will be sent to the cooperative's central authority.
  3. NOVA Web Development will sign the CSR, creating a certificate, which will then be sent back to the member who sent the CSR.
  4. The member will combine their private key and certificate into a pkcs12 file.
  5. They will import this into Firefox and use it to sign the operating agreement.

The Process

Starting at the NOVA Web Development Office

  1. Generate a NOVA Web Development x.509 private key for NOVA Web Development:

    $ openssl genrsa -rand /dev/urandom -out novawebdevelopment.key 2048
    Generating RSA private key, 2048 bit long modulus (2 primes)
    ......................+++++
    ............................................................................+++++
    e is 65537 (0x010001)
    $
    

    The file novawebdevelopment.key now contains our organizational private key. This private key will be used to create a certificate in the next step. This private key should then be stored on our FIDO2 security, which I purchased from SoloKeys. The public key can be generated from this private key using the RSA algorithm with 65537 as the value of e.

  2. Generate a signing certificate for NOVA Web Development:

    $ openssl req -new -x509 -days 2191 -key novawebdevelopment.key -out novawebdevelopmentcert2020.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Virginia
    Locality Name (eg, city) []:Arlington
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:NOVA Web Development, LLC
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:NOVA Web Development Org Cert
    Email Address []:admin@novawebdevelopment.org
    

    This created novawebdevelopmentcert2020.pem, with our X.509 public key together with information about our organization which we will use to sign the certificate signing requests (CSR) which each of our members will generate. The -days 2191 sets the certificate to expire in 6 years (365 * 6 days + 1 leap day in 2024).

  3. Import the NOVA Web org cert into Firefox.

    /media/uploads/view_certificates.png

    Select View Certificates from Preferences

    /media/uploads/import_to_authorities.png

    Select Authorities tab and click Import

    /media/uploads/select_org_cert_pem_file.png

    Select org pem file

    /media/uploads/trust_cert.png

    Check the trust the cert checkboxes

    /media/uploads/see_cert_in_list.png

    See the cert in the list

Members Personal Keys and Certificate Signing Requests

Each member of NOVA Web Development who is signing the operating agreement needs to do the following.

  1. Create an x509 Private Key:

    $ openssl genrsa -rand /dev/urandom -out jelkner.key 2048
    Generating RSA private key, 2048 bit long modulus (2 primes)
    ..........................................................+++++
    ....................+++++
    e is 65537 (0x010001)
    
  2. Generate a CSR to send to the NOVA Web Development office:

    $ openssl req -new -key jelkner.key -out jelkner.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Virginia
    Locality Name (eg, city) []:Arlington
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:NOVA Web Development
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:Jeffrey Elkner
    Email Address []:jeff.elkner@novawebdevelopment.org
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:NOVA Web Development
    
  3. Send the CSR file to the NOVA Web Development office.

Back at the NOVA Web Development Office

Receive the CSR and generate a signing certificate from it:

$ openssl x509 -req -in jelkner.csr -CA novawebdevelopmentcert2020.pem -CAkey novawebdevelopment.key -CAcreateserial -out jelkner.crt -days 730
Signature ok
subject=C = US, ST = Virginia, L = Arlington, O = NOVA Web Development, CN = Jeffrey Elkner, emailAddress = jeff.elkner@novawebdevelopment.org
Getting CA Private Key

Send the CSR to the member.

Back again at the member's location

  1. Use this signing certificate and your private key to create a PKCS 12 file:

    $ openssl pkcs12 -export -out jelkner.p12 -inkey jelkner.key -in jelkner.crt
    Enter Export Password:
    Verifying - Enter Export Password:
    
  2. Import your PKCS 12 file into Firefox.

    /media/uploads/import_p12_1.png

    Select "Your Certificates" tab from "View Certificates".

    /media/uploads/import_p12_2.png

    Select the p12 file you generated in step 1.

    /media/uploads/import_p12_3.png

    Type the password you picked when you created the p12 file.

    /media/uploads/import_p12_4.png