SSL certificates

Many services at GSI are only available via SSL encrypted communication (i.e. https://..., Mailbox access, ...). The server certificates (keys) for these encrypted communication channels are issued and signed by the DFN.

The SSL certificates are all signed by this certificate chain:
  • Deutsche Telekom Root CA 2 (SHA-1 fingerprint 85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF)
  • GSI CA 02 (SHA-1 fingerprint 2B:43:9C:97:05:16:3B:EA:1F:28:5F:57:94:DC:63:73:2D:77:A1:32)

Mozilla apps

Recent releases of the Mozilla suite applications Firefox (aka. Iceweasel), Thunderbird (aka. Icedove) and Seamonkey (aka. Iceape) trust DFN-signed certificates by default.

For older versions you have to import the relevant certificates by yourself to make Firefox et al. trust GSI SSL certificates.

Firefox

Firefox add certificate dialog

Simply click on the certificate links above. An import dialog will appear. Choose at least Trust this CA to identify web sites and click ok. Adding trust for email users in Firefox is as useless as for software - currently there's no known software signed by a GSI certificate.

Thunderbird

Thunderbird preferences dialog

Thunderbird certificate manager

GSIs Exchange mail server also uses a DFN-signed SSL certificate for encrypting the IMAP and POP client access (see TipsEmail). To make Thunderbird trust this certificate you have to download the certificates above on your local computer first. Then open Thunderbird's configuration dialog (Edit - Preferences) and go to the tab Advanced.

Click Manage certificates to open the Certificate Manager, go to the tab Authorities and click Import to import the locally saved certificates. Choose Trust this CA to identify web sites in the appearing import dialog. You may additionally choose Trust this CA to identify email users to make Thunderbird trust mails signed by S/MIME using DFN signed certificates (rarely used up to now).

KDE

Yet to come ...

OpenSSL applications

The majority of applications, especially cmdline programs like svn or wget use the OpenSSL library for SSL encryption (or GnuTLS for which these instructions also apply).

This has already been preconfigured throughout the GSI LinuxFarm, so the following instructions are only necessary on external computers. You need superuser privileges for installation.

The trusted root certificates for OpenSSL normally reside below /etc/ssl/certs/. Download the certificates and copy them to /etc/ssl/certs/. Then run c_rehash /etc/ssl/certs. That's it.

Alternative for Debian-based distros:
  1. Download the certificates to /usr/local/share/ca-certificates/
  2. Run sudo update-ca-certificates

-- ChristopherHuhn - 2008 - 2013
Topic revision: r8 - 2013-12-03, ChristopherHuhn