TRIUMF Certificate Authority

This root certificate may be used as a one-time install to eliminate certificate alerts on TRIUMF secure websites. It will only be used to certify legitimate TRIUMF services.

For Server Administrators:

This root certificate may be used to certify secure (SSL) webservers and services at TRIUMF. Once installed in a browser, any certificate signed by it will automatically be trusted, and secure pages will display with no certificate warnings.

This CA can only be used for the triumf.ca domain.

This CA should not be used to certify financial services, or services directed at the general public.

How to use this CA:

The procedure is the same as obtaining a certificate from a commercial certificiate authority

Generate an SSL key and Certificate Request (Linux):
openssl req -new -nodes -newkey rsa:2048 -out your.csr -keyout your.key
- The Country must be CA
- The State must be BC
- The Organisation must be TRIUMF
  Note that the defaults may be changed in openssl.cnf
- The Organisational Unit should be your division
- For a webserver certificate, the "common name" must be the FQDN (example.triumf.ca) of the server or virtual machine.
- For multiple virtual hosts (x.triumf.ca,y.triumf.ca etc.) on one ip address, use a wildcard *.triumf.ca
- For an email or software certificate, the "common name" should be your name
- we now recommend a 2048-bit key; this may be preset in /etc/pki/tls/openssl.cnf
Create a ticket in the "Certificate Request" queue on helpdesk.triumf.ca. Paste the PEM-encoded CSR into the "describe the issue" text box.
or
Mail the CSR to using your TRIUMF email account.
Do not send the key
The default is 1 year; if you want longer please ask.
A CA manager will sign the CSR and email back a certificate
Alternatively, a CA manager may on request issue you both a key and signed certificate.
For the Apache webserver:
- place the key in (typically) /etc/httpd/conf/ssl.key/
- Place the certificate in /etc/httpd/conf/ssl.crt/
- Edit /etc/httpd/conf.d/ssl.conf and set SSLCertificateFile, SSLCertificateKeyFile appropriately.
- Restart the webserver ("service httpd restart"). "reload" is insufficient if there are SSL changes.
- Note that the hostname must match exactly - users will get an alert if they enter a short name. So it is a good idea to redirect "https://blah" to "https://blah.triumf.ca", thus discouraging users from bookmarking or linking the short name.
For imapd etc. using the OpenSSL libraries:
- Concatenate the signed server cert and key into imapd.pem on the server:
  cat your.2006.key your.2006.crt > /etc/pki/tls/certs/imapd.pem
For sendmail:
- Specify ServerCertFile in sendmail.cf containing the certificate
- Specify ServerKeyFile in sendmail.cf containing the key
- Download the CA certificate in PEM format
- append it to certs/ca-bundle.crt on the client; e.g.
  openssl x509 -text -noout -in triumfca.pem >> /etc/pki/tls/certs/ca-bundle.crt
  cat triumfca.pem >> /etc/pki/tls/certs/ca-bundle.crt
  (older systems use /usr/share/ssl/certs/ca-bundle.crt)
- Specify CACertFile in sendmail.cf containing ca-bundle.crt
- Restart sendmail

To keep track of certificates, you might name them e.g. "servername.year.crt", "servername.year.key"

To display a certificate, use
openssl x509 -text -noout -in your.crt
To display a key, use
openssl rsa -text -noout -in your.key
To display a CSR, use
openssl req -text -noout -in your.csr
To debug an SMTP server using TLS
openssl s_client -showcerts -starttls smtp -connect some.triumf.ca:25

See also e.g. this Apachecon presentation