Jump to Navigation

CA certificates

CA Certificates

Which certificates do I need?

  • In most browsers, you probably only need to "Browser Import" the Root certificate (trusting it to sign web certificates) into the Trusted Roots section of your certificate store and you'll then be able to access websites whose certificates are signed by our eScience CAs.
  • In other browsers (IE8 and IE9 for instance) you may also have to "Browser Import" the two eScience CA certificates (2A and 2B) into the Intermediate Certification Authorities section. Indeed on Windows 7 that still might not be enough and you may have to individually add exceptions to your trusted sites as well (depending what security level you have engaged).
  • If the hashed names confuse you, don't worry: they are for different versions of OpenSSL (see FAQ below), or for tools based on OpenSSL.
  • If you require a package install for the non-IGTF certificates then please go to our CA repository server.
  • We no longer provide package installs for our IGTF-accredited UK eScience CA Certificates, but they are available from the EUGridPMA repository

IGTF-accredited UK eScience CA Certificates

 
Certificate for Importing into a Browser Certificate Distinguished Name (DN) Certificate Revocation List
openssl 0.9.X certificate and signing policy openssl 1.0.Y Certificate and Signing Policy
SHA-1 Fingerprint
SHA-256 Fingerprint
UK e-Science Root /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root UK e-Science Root
98ef0ee5.0
98ef0ee5.signing_policy
7ed47087.0
7ed47087.signing_policy
A1:39:B0:F3:04:6C:0B:F9:F5:0A:1B:33:00:06:4F:83:6B:7D:4F:3E
53:87:A6:41:C8:FC:F7:2C:81:00:78:72:C9:6E:4C:AE:AB:11:0A:A9:4A:EC:92:CB:CB:B0:C4:77:93:F5:24:7F
UK e-Science CA 2B /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B UK e-Science CA_2B CRL
ffc3d59b.0
ffc3d59b.signing_policy
530f7122.0
530f7122.signing_policy
DB:D9:5A:B4:E9:AD:74:26:E0:33:68:AA:B1:77:CC:5B:64:B2:CB:0E
17:12:91:F6:D0:2A:86:B5:AF:9E:E2:F3:91:AA:6A:0F:CE:17:71:B0:CB:C3:65:56:31:7D:9A:9F:50:A8:35:32

 

Non-IGTF CA certificates issued by the UK eScience CA

 
Certificate for Importing into a Browser Certificate Distinguished Name (DN) Certificate Revocation List
openssl 0.9.X Certificate and Signing Policy openssl 1.0.Y Certificate and Signing Policy
SHA-1 Fingerprint
UK eScience CA_2A /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2A UK eScience CA_2A CRL
1b6f5ede.0
1b6f5ede.signing_policy
877af676.0
877af676.signing_policy
41:C7:C4:A0:31:F7:07:02:81:C7:61:D5:7E:92:48:01:DF:87:C9:06
A1:25:BC:9D:4E:F1:BE:75:0A:EE:AF:E9:06:22:01:3E:35:29:06:93:CD:9D:56:F1:5C:53:AD:40:F1:2F:47:51
SLCS Top Level CA /C=UK/O=eScienceSLCSHierarchy/OU=Authority/CN=SLCS Top Level CA SLCS Top Level CA CRL
ece35fd4.0
ece35fd4.signing_policy
439ce3f7.0
439ce3f7.signing_policy
BA:BF:48:9D:5F:A0:E8:32:12:1E:7F:96:D1:15:49:E6:9F:13:56:B2
SARoNGS CA /C=UK/O=eScienceSLCSHierarchy/OU=SARoNGS/CN=NGS Shib SLCS SARoNGS CRL
ccee1974.0
ccee1974.signing_policy
57a979d4.0
57a979d4.signing_policy
EC:1F:30:AF:67:0C:51:2C:6D:63:93:85:F4:3A:5E:F9:98:4A:AB:D1
Development CA /C=UK/O=eScienceDev/OU=NGS/CN=DevelopmentCA Development CA CRL
f23dda82.0
f23dda82.signing_policy
0129d10e.0
0129d10e.signing_policy
9E:9D:A7:DB:BE:AA:7C:54:99:25:88:FD:20:A6:7F:F8:42:41:19:5D

Expired Certificates (for historical use only)

 
Certificate for Importing into a Browser Certificate Distinguished Name (DN) Certificate Revocation List
openssl 0.9.X Certificate and Signing Policy openssl 1.0.Y Certificate and Signing Policy
SHA-1 Fingerprint
Training CA /C=UK/O=Grid/O=Test/OU=Authority/CN=Root Training CA CRL
cb398b31.0
cb398b31.signing_policy
bc32228e.0
bc32228e.signing_policy
E2:F9:F3:AE:78:98:2F:FD:AA:2F:F8:DF:89:BC:62:4A:E4:6B:EB:C5
2007 UK eScience CA (Expired Mar-2013) /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2007 UK eScience CRL (final)
367b75c3.1
367b75c3.signing_policy
53729190.1
53729190.signing_policy
63:7A:39:9E:51:61:45:F2:5C:BE:71:86:98:F6:D8:7F:67:5B:F9:45
2007 UK eScience CA (Expired Oct-2012) /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA Old UK eScience CRL (final)
367b75c3.0
367b75c3.signing_policy
53729190.0
53729190.signing_policy
CA:1C:B6:6C:A9:E3:27:4D:F7:3E:A9:EB:6A:33:3F:C1:A2:B1:B8:D7
2006 UK eScience CA /C=UK/O=eScienceCA/OU=Authority/CN=CA  
adcbc9ef.0
adcbc9ef.signing_policy
7bb4c3c4.0
7bb4c3c4.signing_policy
0A:E0:5B:0C:64:99:18:2B:4F:FB:15:33:6F:77:33:F9:8E:F2:6D:C7
2006 UK eScience Root /C=UK/O=eScienceRoot/OU=Authority/L=Root/CN=CA  
8175c1cd.0
8175c1cd.signing_policy
f92e7377.0
f92e7377.signing_policy
88:BF:90:CB:03:C6:10:14:FA:BB:0D:0A:3C:76:DA:D6:6E:21:54:95
2002 UK eScience CA /C=UK/O=eScience/OU=Authority/CN=CA/emailAddress=ca-operator@grid-support.ac.uk  
01621954.0
01621954.signing_policy
2bf9495b.0
2bf9495b.signing_policy
61:3F:E3:57:17:F0:4D:A0:05:CA:BB:F2:E4:BE:81:64:F1:96:02:F1

 

Frequently Asked Questions

 

  1. Q: Why all these certificates?

    The CA certificates sign certificates for different types of user.

  2. Q: What is the hash and why are there two of them?

    They are used by OpenSSL - and tools built on OpenSSL - to discover the issuer of a given certificate. OpenSSL changed the way they hash certificates as of version 1.0.0. If your server uses openssl 0.9.X then use the names files in that common, likewise for 1.0.Y. You can check which version of openssl you have with the command:

    openssl version
    

    Note that their respective contents are identical, but we provide both so you don't need to rename files after download.

  3. Q: What are the SHA-1 fingerprints?

    These can be used to prove that the certificate you have received is the correct one. Note that you also have to trust the source of the fingerprint which is why they should be provided on different servers. The example below shows that the two eScience Root CA files are for the same certificate

    $ # openssl v0.9.X
    $ openssl x509 -in 98ef0ee5.0 -noout -fingerprint -sha1
    SHA1 Fingerprint=A1:39:B0:F3:04:6C:0B:F9:F5:0A:1B:33:00:06:4F:83:6B:7D:4F:3E
    
    $ # openssl v1.0.Y
    $ openssl x509 -in 7ed47087.0 -noout -fingerprint -sha1
    SHA1 Fingerprint=A1:39:B0:F3:04:6C:0B:F9:F5:0A:1B:33:00:06:4F:83:6B:7D:4F:3E
    


by Dr. Radut