Grid Links

Grid certification authority issues

  • 4Q2011: From 1st October 2011, new and renewal certificates are being signed by the eScience 2B ca certificate. The existing eScience 2 ca certificate expires in October 2012 and so is not able to sign user certificates which will expire after that date. You need to install the eScience 2B ca certificate in your browser in order that your new or renewed certificate will work with web-sites.

    In addition, the experiment-related VOMS registers not only your DN but the signing authority which signed your cert. For a renewal, your DN will not have changed, but your signing authority has. You will need to go through a special procedure with VOMS adminstrators in order that your old cert and its signing authority is removed from the VOMS and then you can re-reg with the VOMS via this ATLAS link, and probably similar for other VOs.

  • 2Q2008: Updated CA and Root certificates: after the Debian/Ubuntu SSL security issue, in May 2008, e-Science CA issued some "re-keyed" CA certificates. You can check if you have the right certificates in your browser by going to Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Authorities, scrolling to the bottom where it should say e-Science CA and e-Science Root, selecting View and looking at the SHA1 Fingerprint.

    According to

        Good fingerprints of the updated certificates are:
        $ openssl x509 -subject -fingerprint -sha1 -noout -in 98ef0ee5.0
        subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root
        SHA1   = A1:39:B0:F3:04:6C:0B:F9:F5:0A:1B:33:00:06:4F:83:6B:7D:4F:3E
        $ openssl x509 -subject -fingerprint -sha1 -noout -in 367b75c3.0
        subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA
        SHA1   = CA:1C:B6:6C:A9:E3:27:4D:F7:3E:A9:EB:6A:33:3F:C1:A2:B1:B8:D7
        whereas the weak certificates are:
        subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root
        SHA1   = B1:77:5E:BB:11:13:B4:B5:0E:40:57:F1:E0:6A:BE:B9:4E:44:B7:45
        subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA
        SHA1   = 31:C1:93:3D:E8:9C:C4:B7:8A:02:B5:2D:56:D5:6B:43:56:0B:9F:CA
    As a quick memory aid, note that the SHA1 starts with an odd hexadecimal number for the weak ones, and an even hexadecimal number for the good ones (as it so happens!). If you have the old weak certificates, then for your browser to work properly to certain web sites, it's important to delete these old eScience Authority certs (but not your own certificate!) and then import the eScience Authority current certificates using the links near the top of on our Personal grid certificates page.

  • 4Q2007: Old and new certificates: there was a change in the CA name and certificate used by UK eScience in 4Q2007, after the private keys for those certificates "escaped" from a safe (allegedly). You can see which CA issued your certificate as follows:
        $ openssl  x509 -in $HOME/.globus/usercert.pem -noout -issuer
        Response for old CA:
        issuer= /C=UK/O=eScienceCA/OU=Authority/CN=CA
        Response for new CA:
        issuer= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA
    This can be also be checked by viewing the certificate in your browser.