Certificates CSCO:IN

Most of our webservices use SSL encryption. For example our website, buildservice, artifact repository, rpm repository, etc.

Only the public facing webservices at https://www-acc.gsi.de/ are using a well known root certificate authority chain (german telecom -> deutscher forschungsverein -> GSI).

All other services are signed by ACC-CA. This authority is preinstalled for systems maintained by csco:in, on other systems you need to manually add it where needed.

Linux

Most application use /etc/pki/tls/certs/ca-bundle.crt as a bundle of certificate authorities. If you are using the csco:in rpm repositories you can install the gsi-cert package. Otherwise use something like
wget https://www-acc.gsi.de/certificate/acc-ca.crt -q -O >> /etc/pki/tls/certs/ca-bundle.crt

Archlinux

curl -L \
  -o /etc/ca-certificates/trust-source/anchors/acc-ca.crt \
  https://www-acc.gsi.de/certificate/acc-ca.crt
update-ca-trust

LDAP

To configure openldap to use the bundle add the following to /etc/openldap/ldap.conf
tls_cacert /etc/pki/tls/certs/ca-bundle.crt
tls_cacertdir /etc/openldap/cacerts

Windows

Central Windows store:

  • Download attached certificate
  • Open Internet Explorer
  • Go to the Tools menu, and open Internet options
  • Go to the Content tab.
  • Click on the Certificates button
  • Go to the Trusted Root Certificates
  • Select Import and locate the certificate file

Firefox:
  • Download attached certificate
  • Open Firefox
  • Open URL about:preferences#advanced
  • Click View Certificates
  • Select Authorities Tab
  • Import Certificate

Java

Each java installation has it's own keystore. The following command should help you to figure it out how to add the acc-ca
wget https://www-acc.gsi.de/certificate/acc-ca.crt -q -O - | \
/usr/java/default/bin/keytool \
   -keystore /usr/java/default/jre/lib/security/cacerts \
   -storepass changeit \
   -alias acc-ca \
   -noprompt \
   -importcert

MacOS

The keytool should be in the path. The keystore is in:
Keystore JDK6: /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts
Keystore JDK7: /Library/Java/JavaVirtualMachines/jdk1.7.0_40.jdk/Contents/Home/jre/lib/security/cacerts
And you need to use sudo, so you can't pipe the wget output. Use the "-file" parameter to specify the downloaded certfile.
wget https://www-acc.gsi.de/certificate/acc-ca.crt 
sudo /usr/java/default/bin/keytool \
   -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_40.jdk/Contents/Home/jre/lib/security/cacerts \
   -storepass changeit \
   -alias acc-ca \
   -noprompt \
   -importcert \
   -file acc-ca.crt 
Topic revision: r5 - 04 Apr 2019, ChristophHandel
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback