The ARRL operates Logbook of the World (LotW, for short), a modern replacement for the QSL cards that Amateurs exchanged to confirm their contacts. Part of the LotW infrastructure is an X.509 cryptographic certification authority, which certifies licensed radio amateurs and includes their callsign as part of the certificate.
We can use these certificates to validate that web service clients are licensed radio amateurs, or not. This allows Amateurs to provide use of their transceivers on the net as a service, without violating the rules of their radio regulators. Our software is ready to do this, what remains is for our potential users to get their certificates and load them into their web browsers.
If you haven’t used LotW before, you can learn how to get started here. Getting started takes a few days for a U.S. Amateur, and potentially a few weeks for other Amateurs. Once you’re set up, ARRL will issue your cryptographic certificate in their own file format. But it’s easy to extract your certificate as a PKCS12 file that is accepted by Google Chrome. Firefox doesn’t load ARRL’s certificates at the moment, and I have yet to test Opera.
Fedora, Red Hat, and Centos users: if the next step breaks, see the end of this page.
To extract your certificate, start the Trusted QSL program. On Linux, it’s called “tqsl”. Press the tab for “Callsign Certificates”. Your callsign is shown on the left. Click on your callsign to highlight it. Then, click on the icon to the left of “Save the callsign certificate for <your-callsign>”. The program will open up a file-select box, all filled in to save your callsign certificate in your home directory as <your-callsign>.p12, with the callsign in upper-case. Save the file. Leave the password fields blank. We’ll remove the file when we’ve loaded it into the browser, so we won’t need the confusing file password.
Now, you should have <your-callsign>.p12 in your home directory. Start Google Chrome. Use the Chrome menu to open the Google Chrome settings. Click on “Show advanced settings…” on the bottom of the page. Scroll down until you see the “HTTP/SSL” heading. Press the “Manage certificates…” button under that heading. The Certificate manager opens. Click on the “Your Certificates” tab, and click the “Import…” button. A file-select box opens. Find and open the <your-callsign>.p12 file – remember, the callsign is in upper-case. Chrome will ask for a password, leave it blank (to correspond with leaving it blank when you saved the file) and press “OK”.
Now, the certificate manager should show your certificate under the “Your Certificates” tab. Press “Done”. You now have your certificate loaded. You can close the browser tab with the settings, or just type in another URL.
To verify that your certificate works in Chrome now, use Chrome to browse to https://server1.perens.com/validate.html The “s” in “https” is important here, nothing about certificates works without using “https” rather than “http”. Chrome will ask you to select your certificate. Choose the certificate with your name and “(Logbook of the World Production CA)”.
Oops, Chrome now says “Your connection is not private” because I’ve not purchased a server certificate (they cost money today, but I hear that EFF will be providing free ones soon). Press “Advanced”. Then, press “Proceed to server1.perens.com (unsafe)” – it’s not really unsafe, you won’t be entering your credit card number or any other private information there.
If everything’s working, you should see a screen like this:
bruce at perens dot com
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
If that’s what you see, You are validated on the Internet as a Licensed Radio Amateur!
If your certificate didn’t pass to the server, you will only see your ip_address, hostname, and user-agent. If your certificate is out-of-date or you’ve presented my server with a certificate that isn’t signed by ARRL, the certificate_is_valid field should show false instead of true.
Remove the <your-callsign>.p12 file, for security’s sake. We don’t want anyone who isn’t a Licensed Radio Amateur getting your certificate and using it to control radios! You can always save another copy using the Trusted QSL program.
Please email your results to bruce at perens dot com.
* For Fedora, Red Hat, and Centos users, if saving the .p12 file breaks: Set OPENSSL_ENABLE_MD5_VERIFY=1 in the shell environment before running the Trusted QSL program. The easiest way is to edit your .profile to include a line like “export OPENSSL_ENABLE_MD5_VERIFY=1″, then log out and log in again.