Many of the services offered by Project Colo use SSL/TLS secure connections. In order to gain some measure of trust that you are connecting to the Real Thing, certificates can be signed by the project's Certificate Authority. Note that this is entirely separate from the usual Internet certificate authorities. The CA certificate has now been updated for Feb 2005-2007, replacing the old 2003-2005 certificate.
There are two ways to check the integrity of the CA's own certificate, before your applications use it. The first option is to download the certificate's fingerprint, and check the OpenPGP signature on it. Then point the application at the certificate, check the fingerprint, and accept it.
The second option is to download the certificate, and a detached OpenPGP signature for it. Check the signature and feed it directly to your applications. (There is also a PEM format certificate, and an OpenPGP signature for it.)
There is also a Certificate Revocation List (CRL) you can use to make sure certificates are still valid. As some applications do not support such lists, notice of revocations will be sent to a suitable Project mailing list, if there ever are any.
You can use either of the methods above with Mozilla (a local file can be
imported with a file: URI, but the filename must end with
.crt), and pointing it at the revocation list will import it
too.
Many applications supplied with Debian will use certificates in PEM format
from the /etc/ssl/certs directory, although you need to use the
command c_rehash . in that directory so that they can find it. I
do not know of any way of getting such applications to check the revocation
list.
openssl req -new -keyout mykey.pem -out myreq.pem -days 365
giving the requested information (in particular, for most SSL/TLS applications I know of, you need to give the host name as the Common Name). For Project Colo services running on kerouac, I have been using "C=GB/O=Project Colo/OU=Whatever services/CN=somename.projectcolo.org.uk/Email=address@projectcolo.org.uk".
myreq.pem to me, signed with your OpenPGP
signature. Do not send the key file.If you want a server to be able to start without asking for a passphrase, you can remove the passphrase from the key:
openssl rsa -in server.key -out server.nopass.key
Of course, you should ensure the new key is not readable by others, as it now has no other protection. (You can find more information like this in the mod_ssl Apache module's FAQ, available on kerouac.)