UK eScience Certificates Page
CA Certificates
(See also NGS Certificate Repository for resource administrators.)
Which certificates do I need?
- In most browsers, you probably only need to "Browser Import" the Root certificate (trusting it to sign web certificates) into the Trusted Roots section of your certificate store and you'll then be able to access websites signed by our old or new eScience CAs.
- In other browsers (IE8 and IE9 for instance) you may also have to "Browser Import" each of the 3 eScience CA certificates (Old, 2A and 2B) into the Intermediate Certification Authorities section. Indeed on Windows 7 that still might not be enough and you may have to individually add exceptions to your trusted sites as well (depending what security level you have engaged).
- If the hashed names confuse you, don't worry: they are for different versions of OpenSSL (see FAQ below), or for tools based on OpenSSL. Note that the Root signing policy has also been amended to cater for the new CA certificates.
- If instead of installing individual files you would prefer a package install then please go to our CA repository server.
| Certificates for Importing into a Browser | Certificate and Signing Policy | Certificate Revocation lists | |
|---|---|---|---|
| openssl 0.9.X | openssl 1.0.Y | ||
| UK Root CA | 98ef0ee5.0 98ef0ee5.signing_policy |
7ed47087.0 7ed47087.signing_policy |
UK Root CRL |
UK eScience 2A |
1b6f5ede.0 1b6f5ede.signing_policy | 877af676.0 877af676.signing_policy | UK eScience 2A CRL |
| UK eScience 2B |
ffc3d59b.0 ffc3d59b.signing_policy | 530f7122.0 530f7122.signing_policy | UK eScience 2B CRL |
| Old UK eScience CA | 367b75c3.0 367b75c3.signing_policy | 53729190.0 53729190.signing_policy | Old UK eScience CRL |
| SARoNGS CA | ccee1974.0 ccee1974.signing_policy | 57a979d4.0 57a979d4.signing_policy | SARoNGS CRL |
| SLCS Top Level CA | ece35fd4.0 ece35fd4.signing_policy | 439ce3f7.0 439ce3f7.signing_policy | SLCS Top Level CRL |
| Training CA | cb398b31.0 cb398b31.signing_policy | bc32228e.0 bc32228e.signing_policy | Training CRL |
Frequently Asked Questions
- Q: Why all these certificates?
- The CA certificates sign certificates for different types of user.
- Q: Why are there two hashes?
- OpenSSL changed the way they hash certificates as of version 1.0.0. If your server uses openssl 0.9.X then use those files, likewise for 1.0.Y. You can check this with the command:
openssl version
Note that their respective contents are identical, but we provide both so you don't need to rename files after download.
- OpenSSL changed the way they hash certificates as of version 1.0.0. If your server uses openssl 0.9.X then use those files, likewise for 1.0.Y. You can check this with the command:
- Q: What are the hashes anyway?
- They are used by OpenSSL - and tools built on OpenSSL - to discover the issuer of a given certificate.
