Contents 1 What is a Certificate Authority 1.1 Obtaining Signed Certificates 2 Importing the University Certificate Authority 2.1 For OS X 2.2 For *NIX Systems 2.3 For Windows

[edit] What is a Certificate Authority

A Certificate Authority, or CA, is an entity that vouches for the identity of a digital resource by signing Certificate Signing Requests.

[edit] Obtaining Signed Certificates

As of May 2011 the university has partnered with InCommon as subscribers of the InCommon Certificate Authority service. Watch this section for more information on how to request various certificates using this service. The service is mediated by InCommon/Internet2, however the actual certificate authority is Comodo. There is a chain certificate for every server certificate issued under the new service. The chain is signed by Comodo’s Adtrust Root Certificate. The chain and root certificates may be found on the InCommon Certificate Authority Chain Certificates page.

Note that as of December 31, 2010 all Certificate Signing Requests (CSR) submitted to any recognized certificate authority must be encrypted using 2048-bit encryption rather than 1024-bit encryption, the previous standard. The change was made to comply with a recommendation set forth by the National Institute of Standards for Technology (NIST).

When replacing a certificate that was requested prior to 12/31/2011, be aware that a new key using 2048-bit encryption MUST be generated along with the CSR to comply with the change. Our certificate authority service will not accept a CSR generated using a key with only 1024-bit encryption.

[edit] Importing the University Certificate Authority

Properly designed applications will by default complain about certificates issued by the Case certificate authorities because this certificate authority is not in the default bundle, or list, of trusted certificate authorities. The problem can be rectified by importing these certificates into the trusted CA bundle.

The first step is to download the Case CA bundle. As of May 28, 2009 we have new root and server CA certificates against which all new server certificates will be signed. The newer certificates use better encryption mechanisms and more secure algorithms for the signatures. For backwards compatibility, the old certificates are also included in the new bundle.

The new certificate bundle may be found at

https://its-services.case.edu/middleware/src/case-ca-bundle-2009.crt

The old bundle may still be found at

https://its-services.case.edu/middleware/src/case-ca-bundle.crt

Some browsers will automatically identify the file as a certificate and prompt you to import the certificate to the browser's or operating system's trusted CA list, so you may need to right click on the link to tell the browser to explicitly save the link target as a file.

Many services are using certificates issued by Entrust. The Entrust public certificate is available at https://its-services.case.edu/middleware/Responsibilities/SSL/SSL.html.

[edit] For OS X

Double clicking on the downloaded .crt file will open Keychain Access. You might be prompted for your system administrator's password. You will be prompted with a box asking if you want to add the certificates to the keychain. From the keychain drop-down menu, select "System" and click OK.

[edit] For *NIX Systems

Most distributions have a global trusted CA bundle file somewhere. The file is often named ca-bundle.crt. To add the Case CA's to the list, we just issue the command:

cat case-ca-bundle.crt >> ca-bundle.crt

Common locations for ca-bundle.crt

• RedHat -- /usr/share/ssl/certs/ca-bundle.crt

[edit] For Windows

Opening the aforementioned file will open the Windows Certificate Import Wizard. Simply click your way through the interface and the Case certificate authority will be marked as a trusted CA in Windows. This setting should propogate to any well-programmed application.