CA Root Certificates
Many Grid-related web sites have a server certificate signed by a Grid CA. These are not known to standard web browsers by default, and hence generate warning messages from the browser that the site is untrusted. It is normally possible to ignore the warning, but it's undesirable to get into such a habit as it may make you more susceptible to phishing attacks and the like.
It is therefore useful to import the CA root certificates as a trusted issuer to remove these warnings. Each CA web site should have links to download its own certificate, but since there is a large number of CAs in the Grid this is a clumsy way to collect the full set of certificates. There is therefore a single repository for a large number of CAs, in particular those covered by the International Grid Trust Federation (IGTF), at the TACAR web site. (Note that this site itself uses a server certificate signed by AddTrust, which is one of the standard issuers and should be trusted by browsers by default.)
On the TACAR pages, you can select all IGTF authorities (using the drop-down box at the top), and then download these in a number of formats. The PKCS7 format is the one most operating systems will understand. Select all the CAs you want (the top check box will check all of them in one go), and download the p7b file.
Unfortunately different browsers operate in different ways, but the following notes cover the most common cases. At least in MS Windows, right-click on the download file and select Install certificates, putting them explicitly (Place all certificates into the following store) into the Trusted Root Certification Authorities). They'll then be trusted by any applications that use the OS certificate store. Macs should behave in a similar way.
Firefox (and Thunderbird) use a different approach, and by design require you to import each and every CA individually. The Install buttons in TACAR help you with this, however there is no single `do it all' button. This is a conscious design choice of Mozilla, wanting the user to make an explicit choice each time for security reasons.
Remember that each bundle of CAs has their own specific security risks and requirements regardless of their source, whether pre-installed, part of the IGTF bundle or from some other source.
Thanks to David Groep for providing much of the information on this page.
Last modified Mon 26 September 2011 . View page history
Switch to HTTPS . Website Help . Print View . Built with GridSite 1.4.3