TRIUMF Certificate Authority

Other Clients:

Click the "Download Root Certificate" button on ca.triumf.ca

• Konqueror: click "open", select "signer" "...TRIUMF Certificate Authority", click "Import"
• Opera: Click "View", uncheck "warn me", click "install", click "OK"

The certificate should have the following fingerprints:

SHA1: 0C:CA:3D:69:78:81:15:48:75:53:65:8A:D9:24:30:3A:90:EA:32:F9
MD5: 8C:70:20:D5:46:39:4E:4F:B8:54:01:F7:0B:58:7E:B8

• For Pine/Alpine or other applications using the Linux OpenSSL libraries:
  • For CentOS 7:
    • Download the CA certificate (PEM format) into /etc/pki/ca-trust/source/anchors
    • run "update-ca-trust extract"
  • On newer systems, install the triumf-cacert-openssl RPM - which avoids modifying the default bundle, which may be occasionally changed by security updates, as in Sept 2011 (DigiNotar). See TRIUMF rpms
    OR
  • Download the CA certificate (PEM format)
  • append it to certs/ca-bundle.crt on the client; e.g.
    openssl x509 -text -noout -in triumfca.pem >> /etc/pki/tls/certs/ca-bundle.crt
    cat triumfca.pem >> /etc/pki/tls/certs/ca-bundle.crt
    (older systems use /usr/share/ssl/certs/ca-bundle.crt)
  • Create the hash link, e.g.

     # cd  /etc/pki/tls/certs 
     # openssl x509 -in triumfca.pem  -noout -hash  (gives e.g. dc3018f7)
     # ln -s triumfca.pem dc3018f7.0
      

    Note that on some systems triumfca.pem should be renamed triumfca.crt
  • Debian may use /etc/ssl/certs:

      # cd /etc/ssl/certs
      # cat triumfca.crt >> ca-certificates.crt
      # ln -s triumfca.pem dc3018f7.0
      

• For Acroread or other applications requiring DER certificates
  • Download the CA certificate (DER format)
  • install as required
• For OpenLDAP clients (ldapsearch):
  • Install the triumf-cacert-openssl RPM, if missing (adds triumfca.pem and makes a link to the TRIUMF certificate as /etc/pki/tls/certs/xxxx.0)
  • In /etc/openldap/ldap.conf, set
    TLS_CACERTDIR /etc/pki/tls/certs
    TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
• For OpenLDAP clients (SL/CENTOS 6), using NSS cf. OpenSSL:
  as above, or:
  • Execute certutil -d /etc/openldap/certs -A -n 'TRIUMF Certificate Authority' -t C,C,C -i /etc/pki/tls/certs/triumf.ca.pem
  this adds the TRIUMF certificate authority to the NSS database /etc/openldap/certs/cert8.db

Note: In Opera, the padlock may not appear in the status bar on certified pages, although "page properties" show as secure.