How do certificates work?

[ralphthemagi]

I'm a bit of a noob, so sorry if this is a dumb question. I just got started using Mumble on OS X and I'm a little bit confused about how certificates work. Where are they stored? Every time I join a public server it tells me that I'm adding a certificate. Where do they go? I can't find them in my Keychain. Also, is there a place where my certificate lives? I see that I can export it, but where does it live normally?

[kissaki]

Mumble uses 2 kinds of certificates: Server-certificates and client-certificates.

The server certificates are used for the secure SSL (as in HTTPS) connection to the server, where the server identifies itself with just that certificate.

As a further explanation:

You join a (for you new) server. Then the server tells you, this is me with this certificate, and you accept it. The certificate is then saved in your mumble clients sqlite database. (%APPDATA%/Mumble/mumble.sqlite or sth)

Every time you reconnect to the server your client (mumble) checks that the server you are connecting to still provides the same certificate. That way you are sure you are connecting to that one server through that address (after all an address/ip/domain may point to a different server in the future, when the old provider died and the ip is reassigned or sth, or someone wants to fake it...).

Thus you are sure, if you are sending login-credentials for example, to that server it's not being sent to a fake or new one, one you didn't say you trust when accepting the cert.

The other thing is the client certificate.

You created one for mumble, probably on first launch in the wizard.

As described there, the certificate has 2 keys. One private and one public key.

The public key is the one you identify with to others, so the one that is sent to the mumble server to identify yourself (and other users who may add you as a friend etc).

The private key is only for yourself which is used on encode, encrypt etc things, and to create the public key again. So that's the one you really want to back up somewhere, but keep it for yourself and secure.

Mh, anything else? :)

as reference

SSL/TLS: http://en.wikipedia.org/wiki/Transport_Layer_Security

HTTPS: http://en.wikipedia.org/wiki/HTTPS

[mkrautz]

A self-signed client certificate can be generated by yourself through the certificate wizard (Configure -> Certificate Wizard), or Mumble can automatically generate a generic one for you (name: 'Mumble User')...

There is also the possibility to use an email certificate (or other personal certificate) from a trusted certificate authority.

Currently, on all platforms, the certificates + private keys are stored in the settings file (on Mac OS X this is a plist in ~/Library/Preferences/net.sourceforge.mumble.Mumble.plist), and unfortunately *not* in the keychain (yet!). There's an open feature request on the subject, if you want to add anything to it: https://sourceforge.net/tracker/?func=detail&aid=2883423&group_id=147372&atid=768008. I'm currently working on implementing identity management in our iOS client, so it's possible that some of that code can be reused in the desktop client to accelerate the keychain integration.

If you want to get at your certificate, you're strongly recommended to use the tools available in the certificate wizard (and not fiddle with the settings plist file). That way you can easily export it, import new certificates, etc.