You are here: Foswiki>IN Web>Zertifikate (04 Apr 2019, ChristophHandel)Edit Attach

Certificates CSCO:IN

Most of our webservices use SSL encryption. For example our website, buildservice, artifact repository, rpm repository, etc.

Only the public facing webservices at https://www-acc.gsi.de/ are using a well known root certificate authority chain (german telecom -> deutscher forschungsverein -> GSI).

All other services are signed by ACC-CA. This authority is preinstalled for systems maintained by csco:in, on other systems you need to manually add it where needed.

Linux

Most application use /etc/pki/tls/certs/ca-bundle.crt as a bundle of certificate authorities. If you are using the csco:in rpm repositories you can install the gsi-cert package. Otherwise use something like 
wget https://www-acc.gsi.de/certificate/acc-ca.crt -q -O >> /etc/pki/tls/certs/ca-bundle.crt

Archlinux 

curl -L \
  -o /etc/ca-certificates/trust-source/anchors/acc-ca.crt \
  https://www-acc.gsi.de/certificate/acc-ca.crt
update-ca-trust

LDAP

To configure openldap to use the bundle add the following to /etc/openldap/ldap.conf 
tls_cacert /etc/pki/tls/certs/ca-bundle.crt
tls_cacertdir /etc/openldap/cacerts

Windows

Central Windows store:

  • Download attached certificate
  • Open Internet Explorer
  • Go to the Tools menu, and open Internet options
  • Go to the Content tab.
  • Click on the Certificates button
  • Go to the Trusted Root Certificates
  • Select Import and locate the certificate file

Firefox:
  • Download attached certificate
  • Open Firefox
  • Open URL about:preferences#advanced
  • Click View Certificates
  • Select Authorities Tab
  • Import Certificate

Java

Each java installation has it's own keystore. The following command should help you to figure it out how to add the acc-ca 
wget https://www-acc.gsi.de/certificate/acc-ca.crt -q -O - | \
/usr/java/default/bin/keytool \
   -keystore /usr/java/default/jre/lib/security/cacerts \
   -storepass changeit \
   -alias acc-ca \
   -noprompt \
   -importcert

Show MacOS Instructions

MacOS

The keytool should be in the path. The keystore is in: 
Keystore JDK6: /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts
Keystore JDK7: /Library/Java/JavaVirtualMachines/jdk1.7.0_40.jdk/Contents/Home/jre/lib/security/cacerts
And you need to use sudo, so you can't pipe the wget output. Use the "-file" parameter to specify the downloaded certfile. 
wget https://www-acc.gsi.de/certificate/acc-ca.crt 
sudo /usr/java/default/bin/keytool \
   -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_40.jdk/Contents/Home/jre/lib/security/cacerts \
   -storepass changeit \
   -alias acc-ca \
   -noprompt \
   -importcert \
   -file acc-ca.crt
Edit  | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 04 Apr 2019, ChristophHandel
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback