School X.509 and OpenSSH certificates
You probably don't need to care about this page: only a relatively small number of technical users need the information here.
We run a local Certificate Authority, which creates certificates for local use – mainly for connecting securely to a subset of intranet machines. You probably don't need one of these certificates, but if you learn that you do, talk to Norman.
We also have an OpenSSH CA. See the notes at the bottom of the page.
The school signing certificates are:
- /C=GB/O=University of Glasgow/OU=Physics & Astronomy/CN=Physics & Astronomy Root CA (Serial number: 9d:e1:44:28:d7:8f:f1:79, valid to November 2037)
- /C=GB/O=University of Glasgow/OU=Physics & Astronomy/CN=Physics & Astronomy Intermediate CA (2017) (Serial number: 4096, valid to November 2027)
You should install, in order, the Root CA certificate (marking it as trusted, when prompted), and then the Intermediate CA certificate. You can find these certificates, along with a few other useful ones, in a single zip file:
- zip file; and
- this file's GPG signature, signed with Norman's GPG key.
Note: these are different from the initial (2016) versions of these certificates, which were issued with a small but significant error.
Installing these server certificates – desktop machines §
-
On OS X: Open ‘Keychain Access’, and under the ‘File’ menu, select ‘Import Items...’, then find and open the two certificate files. Still in ‘Keychain Access’, locate the ‘Physics & Astronomy Root CA’ certificate, select it and ‘Get Info’ (‘File’ menu), then use the ‘Trust’ option to mark this certificate as ‘Always Trust’.
-
On Firefox: Select ‘Preferences’ » ‘Advanced’ » ‘Certificates’ » ‘View Certificates’. Select the ‘Authorities’ tab, and ‘Import...’ the two files. This sequence is broadly similar, but sometimes slightly different, in different Firefox versions, and in Thunderbird.
-
On iOS, simply click on the links above, in order, and click ‘Install’ when prompted. These will be marked as trusted.
-
Using Internet Explorer, you will be prompted to ‘Open’ or ‘Save’ the downloaded file. ‘Open’ it, and when prompted import the certificates into the ‘Trusted Certificates List’.
Installing these server certificates – server machines §
The notes below describe installing the phas-ca-*
files from the
certificates bundle, but you may also want to install the UK e-Science
certificates, too. See the README in the downloaded bundle.
FreeBSD:
# mkdir /etc/ssl/certs
# cp certificates/phas-ca* /etc/ssl/certs
# cd /etc/ssl/certs
# for f in phas-ca-*; do ln -s $f `openssl x509 -hash -in $f -noout`.0; done
CentOS:
# cp certificates/phas-ca* /etc/pki/ca-trust/source/anchors
# update-ca-trust extract
The certs will then appear in various files under
/etc/pki/ca-trust/extracted/pem/
.
You may need some further configuration to let client applications use
these. For example, an ldap.conf
file needs a line:
tls_cacert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Debian/Ubuntu:
copy the two phas-ca-*.crt
files into
/usr/share/ca-certificates
, adding the filenames to
/etc/ca-certificates
, and then running update-ca-certificates
[instructions TBC].
Installing your personal certificate §
If you have a personal certificate, issued by the school, then you should install it as follows. Most people will not have such a certificate.
You will have received your certificate in the form of a
.p12
file, along with a password which secures this
file. When you import the certificate as described below, you have to
unlock the .p12
file with this password.
-
In Firefox, go to ’Preferences’ » ‘Advanced’ » ‘Certificates’ » ‘View certificates’ » ‘Your certificates’ » ‘Import...’ and find the
.p12
file. This sequence is broadly similar, but sometimes slightly different, in different Firefox versions, and in Thunderbird. -
On OS X, you can import this to Keychain Access with ‘File’ » ‘Import items...’
-
On Windows, double-click on the
.p12
file, and the Certificate Import Wizard does the Right Thing. -
On iOS devices, email the
.p12
file to yourself as an attachment, read that email on the iOS device, and tap on the attachment. If you have the certificate within Keychain Access already, then you will first need to export it from there, by finding it in ‘My Certificates’, selecting it, selecting ‘File’ » ‘Export Items...’, ensuring that you choose the.p12
file format, and supplying a password.
You can discard the .p12
file and password after you have imported the
key and certificate, because you should be able to export the key and
certificate from within the certificate store at a later stage.
Creating your own key §
If you have a desperate urge to create your own key and have it signed, then first download the appropriate config file, and then create a key:
% openssl genrsa -aes256 -out fred-bloggs-key.key 2048
You will be asked to enter a password for the key. This is used only for protecting this key whilst you are waiting for it to be signed, and before you import the signed key into your key/certificate manager.
Create the CSR:
% openssl req -new -config user-csr.cnf -key fred-bloggs.key -out fred-bloggs.csr
Accept the defaults for each item except the CommonName field,
where you should enter your own name when prompted.
Then send the .csr
file to Norman to be signed. After the signed
certificate is returned, import both it and the key file (for which
you have of course remembered the password) as above.
If you have any questions, contact Norman Gray.
OpenSSH CA §
We run an OpenSSH CA to provide SSH certificates for a few IT users. The CA key is here. If you need to know more about this, talk to Norman.