| Version 6 (modified by , 20 years ago) ( diff ) |
|---|
CAL Certificate Authority
The Columbia Astrophysics Laboratory is going to run its own certificate authority.
The current Certificate Authority Root Certificate is in a file attached to this page.
If you want to smoothly use secure connections to servers on the CAL network, download that file and import it into your browser.
creating a personal certificate
The certificate authority is also used at the moment to sign certificates for individual users. If you would like a certificate for yourself to use within CAL, follow these instructions:
prerequisites
This assumes you are running a reasonable operating system which has openssl installed. This probably does not include Windows.
download the setup script
The setup script is attached to this wiki page as CALpkcs12. it is a bash script, and should be made executable with chmod u+x
generating a private key and certificate request
Run the following command and provide reasonable answers to the questions it asks you:
[dkg@squeak test]$ chmod u+x CALpkcs12 [dkg@squeak test]$ ./CALpkcs12 newkey Choose your preferred user name: [dkg] dkg Enter your current e-mail address: [dkg@localdomain] dkg@example.org Choose a passphrase: Confirm the passphrase: Generating a 2048 bit RSA private key ...................................+++ .........................................+++ writing new private key to '.CAL-key.pem' ----- trying to mail new certificate request to the CAL network admin <omitted here> Success! You may want to also mail the CAL network admin <omitted here> a brief followup e-mail about your new account registration. [dkg@squeak test]$
So far, you've created a key and a certificate request. The system administrator still needs to provide you with a full-fledged certificate. Don't lose the files in this directory!
creating the PKCS12 from the generated certificate
After receiving and verifying your certificate request, the system administrator will send you a file called CAL-cert.pem. Save it in the same directory as your other certificates, and you can now run the following command:
[dkg@squeak test]$ CALpkcs12 newcert Where is the downloaded certificate? [CAL-cert.pem] Enter your passphrase: Created pkcs12 certificate bundle in file CAL-cert.p12. You can now import this bundle into your favorite web browser. [dkg@squeak test]$
using the certificate in different clients
You'll probably want to use this certificate in different clients. For example, you will find it useful in your web browser.
configuring Mozilla
Under Mozilla, choose "Edit|Preferences", then select "Privacy and Security" in the left-hand pane, and choose "Certificates" from the sub-menu.
Click "Manage Certificates", ensure that the "Your Certificates" tab is active, and choose "import". Point Mozilla at cal-cert.p12, and give it the password you gave in the "Export Password" step above. Mozilla should now know how to identify you to the server.
configuring Firefox
Under firefox, choose "Edit", "Preferences", then under "Advanced", expand the "Certificates" section. Click "Manage Certificates". Ensure that the "Your Certificates" tab is active, and choose "import". Point Firefox at cal-cert.p12, and give it the password you gave in the "Export Password" step above. Firefox should now know how to identify you to the server.
