Contents

• Installing these server certificates – desktop machines
• Installing these server certificates – server machines
• Installing your personal certificate
• Creating your own key
• OpenSSH CA

School X.509 and OpenSSH certificates

You probably don't need to care about this page: only a relatively small number of technical users need the information here.

We run a local Certificate Authority, which creates certificates for local use – mainly for connecting securely to a subset of intranet machines. You probably don't need one of these certificates, but if you learn that you do, talk to Norman.

We also have an OpenSSH CA. See the notes at the bottom of the page.

The school signing certificates are:

• /C=GB/O=University of Glasgow/OU=Physics & Astronomy/CN=Physics & Astronomy Root CA (Serial number: 9d:e1:44:28:d7:8f:f1:79, valid to November 2037)
• /C=GB/O=University of Glasgow/OU=Physics & Astronomy/CN=Physics & Astronomy Intermediate CA (2017) (Serial number: 4096, valid to November 2027)

You should install, in order, the Root CA certificate (marking it as trusted, when prompted), and then the Intermediate CA certificate. You can find these certificates, along with a few other useful ones, in a single zip file:

• zip file; and
• this file's GPG signature, signed with Norman's GPG key.

Note: these are different from the initial (2016) versions of these certificates, which were issued with a small but significant error.

Installing these server certificates – desktop machines §

• On OS X: Open ‘Keychain Access’, and under the ‘File’ menu, select ‘Import Items...’, then find and open the two certificate files. Still in ‘Keychain Access’, locate the ‘Physics & Astronomy Root CA’ certificate, select it and ‘Get Info’ (‘File’ menu), then use the ‘Trust’ option to mark this certificate as ‘Always Trust’.

• On Firefox: Select ‘Preferences’ » ‘Advanced’ » ‘Certificates’ » ‘View Certificates’. Select the ‘Authorities’ tab, and ‘Import...’ the two files. This sequence is broadly similar, but sometimes slightly different, in different Firefox versions, and in Thunderbird.

• On iOS, simply click on the links above, in order, and click ‘Install’ when prompted. These will be marked as trusted.

• Using Internet Explorer, you will be prompted to ‘Open’ or ‘Save’ the downloaded file. ‘Open’ it, and when prompted import the certificates into the ‘Trusted Certificates List’.

Installing these server certificates – server machines §

The notes below describe installing the phas-ca-* files from the certificates bundle, but you may also want to install the UK e-Science certificates, too. See the README in the downloaded bundle.

FreeBSD:

# mkdir /etc/ssl/certs
# cp certificates/phas-ca* /etc/ssl/certs
# cd /etc/ssl/certs
# for f in phas-ca-*; do ln -s $f `openssl x509 -hash -in $f -noout`.0; done

CentOS:

# cp certificates/phas-ca* /etc/pki/ca-trust/source/anchors
# update-ca-trust extract

The certs will then appear in various files under /etc/pki/ca-trust/extracted/pem/. You may need some further configuration to let client applications use these. For example, an ldap.conf file needs a line:

tls_cacert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Debian/Ubuntu: copy the two phas-ca-*.crt files into /usr/share/ca-certificates, adding the filenames to /etc/ca-certificates, and then running update-ca-certificates [instructions TBC].

Installing your personal certificate §

If you have a personal certificate, issued by the school, then you should install it as follows. Most people will not have such a certificate.

You will have received your certificate in the form of a .p12 file, along with a password which secures this file. When you import the certificate as described below, you have to unlock the .p12 file with this password.

• In Firefox, go to ’Preferences’ » ‘Advanced’ » ‘Certificates’ » ‘View certificates’ » ‘Your certificates’ » ‘Import...’ and find the .p12 file. This sequence is broadly similar, but sometimes slightly different, in different Firefox versions, and in Thunderbird.

• On OS X, you can import this to Keychain Access with ‘File’ » ‘Import items...’

• On Windows, double-click on the .p12 file, and the Certificate Import Wizard does the Right Thing.

• On iOS devices, email the .p12 file to yourself as an attachment, read that email on the iOS device, and tap on the attachment. If you have the certificate within Keychain Access already, then you will first need to export it from there, by finding it in ‘My Certificates’, selecting it, selecting ‘File’ » ‘Export Items...’, ensuring that you choose the .p12 file format, and supplying a password.

You can discard the .p12 file and password after you have imported the key and certificate, because you should be able to export the key and certificate from within the certificate store at a later stage.

Creating your own key §

If you have a desperate urge to create your own key and have it signed, then first download the appropriate config file, and then create a key:

% openssl genrsa -aes256 -out fred-bloggs-key.key 2048

You will be asked to enter a password for the key. This is used only for protecting this key whilst you are waiting for it to be signed, and before you import the signed key into your key/certificate manager.

Create the CSR:

% openssl req -new -config user-csr.cnf -key fred-bloggs.key -out fred-bloggs.csr

Accept the defaults for each item except the CommonName field, where you should enter your own name when prompted. Then send the .csr file to Norman to be signed. After the signed certificate is returned, import both it and the key file (for which you have of course remembered the password) as above.

If you have any questions, contact Norman Gray.

OpenSSH CA §

We run an OpenSSH CA to provide SSH certificates for a few IT users. The CA key is here. If you need to know more about this, talk to Norman.

P&A IT documentation — directory – Last modified by Norman Gray on 2025 April 10