Many services at GSI are only available via SSL encrypted communication (i.e.
, Mailbox access
, ...). The server certificates (keys) for these encrypted communication channels are issued and signed by the DFN
The SSL certificates are all signed by this certificate chain:
Recent releases of the Mozilla suite applications Firefox
) and Seamonkey
) trust DFN-signed certificates by default.
For older versions you have to import the relevant certificates by yourself to make Firefox
et al. trust GSI SSL certificates.
Simply click on the certificate links above
. An https://wiki.gsi.de/pub/Linux/SslCertificates/firefox_add_ca_sarge.png import dialog
will appear. Choose at least Trust this CA to identify web sites
and click ok. Adding trust for email users in Firefox
is as useless as for software - currently there's no known software signed by a GSI certificate.
GSIs Exchange mail server also uses a DFN-signed SSL certificate for encrypting the IMAP and POP client access (see TipsEmail
To make Thunderbird
trust this certificate you have to download the certificates above
on your local computer first.
Then open Thunderbird's
configuration dialog (Edit
) and go to the tab https://wiki.gsi.de/pub/Linux/SslCertificates/thunderbird_preferences_advanced_sarge.png Advanced
Click Manage certificates
to open the https://wiki.gsi.de/pub/Linux/SslCertificates/thunderbird_certificate_manager_sarge.png Certificate Manager
, go to the tab Authorities
and click Import
to import the locally saved certificates.
Choose Trust this CA to identify web sites
in the appearing https://wiki.gsi.de/pub/Linux/SslCertificates/firefox_add_ca_sarge.png import dialog
You may additionally choose Trust this CA to identify email users
to make Thunderbird
trust mails signed by S/MIME using DFN signed certificates (rarely used up to now).
Yet to come ...
The majority of applications, especially cmdline programs like
use the http://www.openssl.org/ OpenSSL
library for SSL encryption (or GnuTLS for which these instructions also apply).
This has already been preconfigured throughout the GSI LinuxFarm
, so the following instructions are only necessary on external computers. You need superuser privileges for installation.
The trusted root certificates for OpenSSL normally reside below
. Download the certificates
and copy them to
. Then run
. That's it.
Alternative for Debian-based distros:
- Download the certificates to /usr/local/share/ca-certificates/
- 2008 - 2013