Certificates CSCO:IN

Most of our webservices use SSL encryption. For example our website, buildservice, artifact repository, rpm repository, etc.

Only the public facing webservices at https://www-acc.gsi.de/ are using a well known root certificate authority chain (german telecom -> deutscher forschungsverein -> GSI).

All other services are signed by ACC-CA. This authority is preinstalled for systems maintained by csco:in, on other systems you need to manually add it where needed.

Linux

Most application use /etc/pki/tls/certs/ca-bundle.crt as a bundle of certificate authorities. If you are using the csco:in rpm repositories you can install the gsi-cert package. Otherwise use something like

wget https://www-acc.gsi.de/certificate/acc-ca.crt -q -O -  >> /etc/pki/tls/certs/ca-bundle.crt

Archlinux

curl -L    -o /etc/ca-certificates/trust-source/anchors/acc-ca.crt    https://www-acc.gsi.de/certificate/acc-ca.crt
update-ca-trust

LDAP

To configure openldap to use the bundle add the following to /etc/openldap/ldap.conf

tls_cacert /etc/pki/tls/certs/ca-bundle.crt
tls_cacertdir /etc/openldap/cacerts

Windows

Firefox:

• Download certificate https://www-acc.gsi.de/certificate/acc-ca.crt
• Open Firefox
• Open URL about:preferences#advanced
• Click View Certificates
• Select Authorities Tab
• Import Certificate

Java

Each java installation has its own keystore. The following command should help you to figure it out how to add the acc-ca

wget https://www-acc.gsi.de/certificate/acc-ca.crt -q -O - |  /usr/java/default/bin/keytool     -keystore /usr/java/default/jre/lib/security/cacerts     -storepass changeit     -alias acc-ca     -noprompt     -importcert