Jefferson Lab Root Certificate Authority -- Client Instructions

JLAB Windows domain systems receive the JLab root certificate by default and place it in the system-wide certificate trust store. Windows integrated applications use this trust store by default and so should not generate warnings regarding JLab issued certificates. Applications that do not use this common central certificate repository will need to have the certificate installed explicitly. Examples of such applications include Firefocx and Thunderbird.

Note: Some programs give you the option of adding an exception, or otherwise ignoring whatever warning condition is detected. Such exceptions should never be made unless you are very certain that the exception is safe. A far better approach is to install the JLab root certificate so that your system or application will accept certificates issued by JLab by default.

JLab Root Signing Certificate

• Certificate File (Base64 Encoded): JLabWinCA.crt
• Certificate File (Binary (DER) Encoded): JLabWinCA.cer
• Fingerprint: e4 9e bf 21 a0 a2 59 2c 8b 2a 21 44 1e 4e 53 f3 f0 d8 fb e7

  Depending on the program, the fingerprint is sometimes shown with colons between
  each pair of digits. This does not constitute a mismatch, it is simply 
  an attempt to make it easier to read.
  
  Both of the links above are for the same certificate in two different formats. You only
  need one or the other in any single system or application. Both formats are provided to make it 
  easier in cases where you have a system that prefers one format over the other.

• (Base64) -- /site/etc/openssl/JLabWinCA.crt (on Windows systems, this is K:\etc\openssl\JLabWinCA.crt)
• (Binary) -- /site/etc/openssl/JLabWinCA.cer (on Windows systems, this is K:\etc\openssl\JLabWinCA.cer)

Instructions

Instructions are provided below for Thunderbird, and several common web browsers -- Firefox, Internet Explorer and Chrome. Instructions are also provided for subversion. Instructions for other applications will be added if needed.

Step 1 -- Download and save the certificate for installation

• To save on your desktop, right-click the link above and select "Save Link As"
• Navigate to a convenient location and save the file

Step 2 -- Install the certificate in Common Applications

• Click the Certificate File link above. You will get the Certificate Download dialog box.
• Check all three check boxes, indicating that this certificate should be trusted to:
  • identify Web Sites
  • identify email users
  • identify software developers
• Click the "view" button to examine the certificate to compare the SHA1 fingerprint against that provided above.
• Click "OK" to complete the installation.

• From within Thunderbird, go to Tools -> Options.
• Click on the "Advanced" tab near the top of the dialog box.
• Click on the "Certificates" sub-tab.
• Click the "View Certificates" button
• Select the "Authorities" tab.
• Click the "Import" button to import the file you saved previously.
• Navigate to the file you saved previously and click OK to open it.
• You will get a new dialog box with check boxes allowing you to indicate which purposes this certificate should be trusted for. Check all three boxes.
• Click the view button and compare the "SHA1 Fingerprint" to the value shown above. If they do not match, cancel the import operation and contact the helpdesk
• Once you have confirmed the fingerprint value, click close, then OK on the previous dialog to complete the import operation. Then, click OK on the Certificate Manager dialog and, finally click OK on the options dialog box to return to Thunderbird.

Edge is Microsoft's new web browser that is available in Windows 10. For JLab Domain Windows systems, the certificate shoudl be installed by default, so you should not need to perform these steps.

When you click on the certificate link provided above, Edge will download the file by default and save it in your Downloads directory. Once the donwload is complete, you should get a dialog bar at the bottom of the browser windows askign whether you wish to open the file or View Downloads.

• Click the "Open" button in the dialog bar
• You will get a window providing information about the new certificate.
• Select the "details" tab at the top to compare the SHA1 thumbprint to the one provided above.
• After confirming the fingerprint, click the "General" tab
• Click "Install Certificate" near the bottom.
• A wizard will start to install the certificate.
• You will be prompted for which "Certificate Store" should be used for the certificate. Select "Place all certificates in the following store"
• Click "browse" and select the "Trusted root certification authorities"
• Click next, then finish to complete the import

With IE, when you click on the URL link above, you will get a dialog asking to open or save the file.

• Click on the link above and when asked, select "open"
• You will get a window providing information about the new certificate.
• Select the "details" tab at the top to compare the SHA1 thumbprint to the one provided above.
• After confirming the fingerprint, click the "General" tab
• Click "Install Certificate" near the bottom.
• A wizard will start to install the certificate.
• You will be prompted for which "Certificate Store" should be used for the certificate. Select "Place all certificates in the following store"
• Click "browse" and select the "Trusted root certification authorities"
• Click next, then finish to complete the import

Chrome uses the same set of Certificates as IE. So, if you've installed the certificate for Internet Explorer, it is not necessary to install it in Chrome. If you use Chrome but not IE, the process of installing it is similar --

• Click on the link above
• Chrome will start the download and let you know that this type of file can be harmful. asking you to confirm your desire to doanload and keep the file -- select "Keep"
• At the bottom of the Chrome window, you will see the downloaded file, with a drop down arrow allowing you to choose to open the file -- select "Open"
• You will get a window providing information about the new certificate.
• Select the "details" tab at the top to compare the SHA1 thumbprint to the one provided above.
• After confirming the fingerprint, click the "General" tab
• Click "Install Certificate" near the bottom.
• A wizard will start to install the certificate.
• You will be prompted for which "Certificate Store" should be used for the certificate. Select "Place all certificates in the following store"
• Click "browse" and select the "Trusted root certification authorities"
• Click next, then finish to complete the import

Installing the JLab Root Certificate into your Subversion Configuration

By installing the JLab root certificate into your subversion configuration, subversion will inherently trust certificates that are issued by the JLab PKI as long as they match the name you asked to connect to, they are within their validity period and have not been revoked (assuming your subversion client performs revocation checking). This is useful since certificates expire and must be replaced from time to time and such changes will trigger warnings if you explicitly trusted the individual server certificate previously by telling subversion to accept the certificate permanently.

To install the jlab root certificate into subversion --

• Download and save the root certificate using the link near the top of the page
• Copy the certificate file to a convenient location (like the .subversion subdirectory in your home directory> saving it as "JLabWinCA.crt"
• edit the "servers" file in your subversion directory
• Add a line in the global section of the servers file like
  

  ssl-authority-files = /home/yourusername/.subversion/JLabWinCA.crt

• Note: If you already have an ssl-authority-files entry defined in your subversion config, add the path to theh JLabWinCA.crt file, separating it from the previous entry with a semicolon

Connecting Without Installing the Jlab Root Certificate into Subversion

Error validating server certificate for 'https://someserver.jlab.org:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: someserver
 - Valid: from Mon, 11 Jul 2016 13:04:04 GMT until Tue, 09 Jul 2019 16:26:29 GMT
 - Issuer: jlab, org
 - Fingerprint: <hex fingerprint>
(R)eject, accept (t)emporarily or accept (p)ermanently?

You can choose to reject the connection, or accept it temporarily (for this session only), or accept it permanently. The last option stores the certificate into your subversion configuration so that if you connect to the same server again, you will not be prompted.

The fingerprint given is the fingerprint of the subversion server"s certificate -- not of the root certificate provided above. So, you should compare the thumbprint provided to the thumbprint below for the particular server you are connecting to.

SHA1 Fingerprints for current certificates of JLab https subversion servers is provided below