SafeRelay is a certificate authority center, based on OpenSSL, for network administrators who want to deploy certificates on a LAN (local area network).
SafeRelay is written in CURSEL, which is available at http://users.pandora.be/stes/compiler.html. The saferelay-0.0.1.tar.gz source code is available at http://users.pandora.be/stes/saferelay.html.
You may be thinking of using TLS/SSL and certificates on your LAN for such things as,
When you open a SafeRelay "account" for a user, SafeRelay creates a private key and a certificate for the user.
The certificate and private key is immediately stored, by SafeRelay, on a diskette.
If the PC of the user crashes, the private key and certificate, can be recovered, from the diskette, by the user without help or intervention from the system or network administrator.
If the user has multiple PC's (e.g. a laptop and desktop), it suffices to simply import the certificate from the diskette on both PC's.
If the diskette is lost by the user, or stolen by another user, or if the diskette suffers from a media error, a new diskette with a new keypair must be prepared for the user.
In any case, by giving the user a diskette with a certificate, the user immediately receives a backup. Any tangible medium would also work. In fact, SafeRelay could allow you to use "cdrecord" and a CD-RW drive instead. For important keys and certificates, you could copy the contents of the diskette onto a read-only medium such as a CD.
Obviously SafeRelay should not be used on a system where lots of users have an account, since they may try to intercept interesting data created during the process of private key generation.
A good system to install SafeRelay on, is the Linux laptop or desktop of a LAN administrator.
See the file INSTALL for information on building "cursel", the curses interpreter needed by SafeRelay.
Once you have built "cursel", the only thing you have to do is edit the "saferelay" script :
tar xvfz saferelay-0.0.1.tar.gz
vi saferelayYou have to change the value of SFRY so that it points to the top directory of the package where you have installed it. For example, if you install saferelay in /usr/local then you would set,
SFRY=/usr/local/saferelay-0.0.1If you do this as a non-root user, then you must also have write permission to the floppy drive :
chmod a+w /dev/fd0You can also add the SFRY directory to the PATH so that you can launch the package by simply typing "saferelay".
Launch SafeRelay by typing,
saferelayChoose from the menu, "Create Root" (by selecting the Create Root item using the arrow keys and then typing Return), fill out the various fields, use the tab key to go from one field to another, and when you have customized all fields, insert the DOS floppy into the floppy disk drive.
Enter the F3 key to generate a key and to save it to the DOS diskette.
If the F3 function key doesn't work for your terminal, use Control-f + 3. The screen labels at the bottom of the screen correspond, by the way, to the action of the function keys.
Remove the floppy and lock it, label the diskette "root certificate".
It may be a good idea to make a backup of this floppy. The private
key of your root certificate is not stored (permanently) on your local
hard disk, it is only stored on the diskette.
If you start SafeRelay, you have to "load" the root certificate from the floppy you have prepared in the previous step.
Insert the "root floppy" and type "saferelay" to start the program : then choose "Load Root" from the menu and it will read the private key of the root certificate from the diskette :
Again, if you choose "Exit" from the menu, the private key is unloaded (it is temporarily stored on harddisk).
Note that OpenSSL still encrypts the PKCS#12 file with a "passphrase" (which is like a password). This may be a simple word, it doesn't have to be very secure since the passphrase will never be transmitted over the network.
After writing the PKCS#12 file to the DOS floppy, label it with the name of the user, and give it to the user. Tell the user the passphrase that was used to encrypt the PKCS#12 file.
The user imports the PKCS#12 private key and certificate into Netscape (by choosing the Security options and then "Import certificate" to import private key and certificate from the diskette).
By using Netscape's client authentication feature, the user can now be authenticated by the Sendmail SMTP server, or can be authenticated by an intranet HTTPS webserver !
Users can then go download the "root" certificate of your LAN from that website.
You have to edit the httpd.conf file, assuming you use Apache, to contain the following lines :
AddType application/x-x509-ca-cert .der
AddType application/pkix-cert .crtThen provide links on a webpage that all users can see (such as the main page of your website) to the root certificates, etc/ca.der and etc/ca.crt. When a user will click on those links, Netscape and Internet Explorer will start a wizard to import a root certificate.
Note: if someone knows a better procedure to distribute the root certificate, please email me (email@example.com). It would be nice to distribute the root certificate with the PKCS#12, which works, but Netscape still considers the root certificate as "untrusted" until it is imported with the above web-based procedure.
These host certificates are saved by SafeRelay in PEM format on
the DOS floppy. The floppy is a backup for your certificate
and private key. To install the certificate, follow the Apache or
Sendmail procedure; don't forget to install the ca.crt certificate as well
on the server.