Certificates CSCO:IN
Most of our webservices use SSL encryption. For example our website, buildservice, artifact repository, rpm repository, etc.
Only the public facing webservices at
https://www-acc.gsi.de/ are using a well known root certificate authority chain (german telecom -> deutscher forschungsverein -> GSI).
All other services are signed by ACC-CA. This authority is preinstalled for systems maintained by csco:in, on other systems you need to manually add it where needed.
Linux
Most application use
/etc/pki/tls/certs/ca-bundle.crt
as a bundle of certificate authorities. If you are using the csco:in rpm repositories you can install the gsi-cert package. Otherwise use something like
wget https://www-acc.gsi.de/certificate/acc-ca.crt -q -O >> /etc/pki/tls/certs/ca-bundle.crt
Archlinux
curl -L \
-o /etc/ca-certificates/trust-source/anchors/acc-ca.crt \
https://www-acc.gsi.de/certificate/acc-ca.crt
update-ca-trust
LDAP
To configure openldap to use the bundle add the following to
/etc/openldap/ldap.conf
tls_cacert /etc/pki/tls/certs/ca-bundle.crt
tls_cacertdir /etc/openldap/cacerts
Windows
Central Windows store:
- Download attached certificate
- Open Internet Explorer
- Go to the Tools menu, and open Internet options
- Go to the Content tab.
- Click on the Certificates button
- Go to the Trusted Root Certificates
- Select Import and locate the certificate file
Firefox:
- Download attached certificate
- Open Firefox
- Open URL about:preferences#advanced
- Click View Certificates
- Select Authorities Tab
- Import Certificate
Java
Each java installation has it's own keystore. The following command should help you to figure it out how to add the acc-ca
wget https://www-acc.gsi.de/certificate/acc-ca.crt -q -O - | \
/usr/java/default/bin/keytool \
-keystore /usr/java/default/jre/lib/security/cacerts \
-storepass changeit \
-alias acc-ca \
-noprompt \
-importcert
MacOS
The keytool should be in the path. The keystore is in:
Keystore JDK6: /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts
Keystore JDK7: /Library/Java/JavaVirtualMachines/jdk1.7.0_40.jdk/Contents/Home/jre/lib/security/cacerts
And you need to use sudo, so you can't pipe the wget output. Use the "-file" parameter to specify the downloaded certfile.
wget https://www-acc.gsi.de/certificate/acc-ca.crt
sudo /usr/java/default/bin/keytool \
-keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_40.jdk/Contents/Home/jre/lib/security/cacerts \
-storepass changeit \
-alias acc-ca \
-noprompt \
-importcert \
-file acc-ca.crt