Connecting Infrastructure, Connecting Research

NGS CA Certificate Repository

Posted November 11, 2009 - 6:21pm

Certification Authority Repository(ies)

Overview

It is the policy of the NGS that sites trust the IGTF accredited CAs under all the current IGTF profiles:

  • "Classic" CAs: Almost always operating offline
  • SLCS: Short Lived Credential Service, eg. MyProxy based CAs, or KCAs.
  • MICS: Member Integrated Credential Service, eg. Shibboleth-based CAs.

In addition, the NGS has its own CAs which are used within the NGS.  Finally, there are CAs from the rest of the world which the NGS has decided to trust even though they are not IGTF-accredited.

Certificate Distribution

Since the NGS distributes its own certificates in addition to the NGS ones, the NGS now has its own certificate distribution.  It is always updated whenever there is a new IGTF release.

Please note that the distributions have changed a lot recently - you are advised to exercise some caution....

There are currently three methods for obtaining the NGS CA certificate distribution:

1. YUM

Install the following data as /etc/yum.repos.d/ngs-igtf.repo:

[NGS-IGTF-plus]
name=NGS and IGTF CAs plus a few others trusted by NGS
baseurl=http://cert.ca.ngs.ac.uk/latest/yum
gpgcheck=1

Tell RPM about the GPG key used to sign the distribution (if you haven't already): save the file pubkey.asc.txt and import it:

rpm --import pubkey.asc.txt

(Apologies for the.txt extension; the server wouldn't accept it otherwise.)  The fingerprint of the key is:

8F9C 6AAA 3DB1 8901 BCB7  33C8 7BF9 1843 84DF 7B65

2. VDT

Use this link for your VDT certificate updater (replacing the original link):

http://cert.ca.ngs.ac.uk/latest/ngs-igtf-vdt

3. "Manually"

wget http://cert.ca.ngs.ac.uk/latest/certificates.tar.gz
cd /etc/grid-security && tar xzf ~-/certificates.tar.gz

(Assumes a bashy shell which has OLDPWD in ~-)

Changelog

20110930 1.42-1 Release of 1.42 containing bugfix of bugfix :-(
20110929 1.41-1 Release of 1.41 containing bugfixed ancillary files
20110823 1.40-1 Release of 1.40, new 2A and 2B certs.
    ....
20091109 1.32-1 First full release of 1.32, containing IGTF 1.32, FNAL, SARoNGS2.
20091111 1.32-2 As 1.32-1 plus LONI.
 20091204  1.32-3 1.32-2 but with the SARoNGS CA replaced to match the new private key held on a high performance key server

Notes:

  • SARoNGS1 was a software key generated October 2008 (ie the certificate corresponding to the key). SARoNGS2 is the current SARoNGS key, generated on an Aladdin keytoken (similar to robot certificates). SARoNGS3 is the final production key, held on an nCipher HSM running in FIPS140-2 Level3 mode. This key exists and is fully operational but needs the MyProxy CA using it redeployed.
  • LONI is the Louisiana Optical Network Infrastructure.  More information about the LONI CA.

Other Repositories

  • IGTF - links to IGTF (only) distribution.
  • TACAR - Terena Academic CA Repository, contains some IGTF CAs and some non-accredited CAs. All keys have been authenticated with a Trusted Introducer independently of IGTF, so it provides an independent trust path.

 

Navigation

Poll

How easy is it to find the information you are looking for on the NGS website?:

©NGS