Task #1273
closed
Check CA hierachy of GARR certificates issued by TERENA to create a truststore to add to production nodes
100%
Description
The hierarchy can be found here:
http://pki.cesnet.cz/en/ch-tcs-ssl-ca-2-crt-crl.html
TERENA certificate can be found here:
http://crt.tcs.terena.org/TERENASSLCA.crt
Files
Updated by Andrea Dell'Amico over 9 years ago
I just discovered that we already had an incident about the Terena CA certificate. But at that time I didn't know that the GARR got the certificates from them: see #414. When we'll have the needed hierarchy sorted out we shall need a new keyring for all the java services involved.
Updated by Luca Frosini over 9 years ago
Using the right username and password I successfully created a db using https like this:
$ HOST=https://XXXX:XXXX@accounting-d4s.d4science.org curl --cacert ./chain_TERENA_SSL_CA_2.pem -X PUT $HOST/aux
I got the pem certificate from here
https://pki.cesnet.cz/certs/chain_TERENA_SSL_CA_2.pem
Further details can be found here
http://pki.cesnet.cz/en/ch-tcs-ssl-ca-2-crt-crl.html
Updated by Luca Frosini over 9 years ago
- File chain_TERENA_SSL_CA_2.pem chain_TERENA_SSL_CA_2.pem added
- Status changed from In Progress to Feedback
- % Done changed from 0 to 90
I also tried successfully to remove the AddTrust External CA Root from pem.
So the only certificates needed to trust are this one:
https://pki.cesnet.cz/certs/USERTrust_RSA_Certification_Authority.pem
https://pki.cesnet.cz/certs/TERENA_SSL_CA_2.pem
The global pem I edited is available as attachment
Updated by Andrea Dell'Amico over 9 years ago
I just changed the certificates configuration on haproxy server to add the certificates needed to complete the trust chain.
Now curl connects successfully.
Updated by Luca Frosini over 9 years ago
I confirm that curl works perfectly.
I'm going to test java code.
Updated by Luca Frosini over 9 years ago
- Status changed from Feedback to Closed
Java code works too.
I'm going to close the ticket
