Australian Access Federation Support Desk

How to import the AusCERT CA SSL certificate into your IdP SSL key store

by Paul Stepowski Follow

NOTE: This issue has been fixed in both the production and test federations from 08/10/2013.

 

1.) Download the AusCERT CA SSL certificate

The URL for the AusCERT CA SSL certificate is:

http://crt.cs.auscert.org.au/AusCERTServerCA.crt

You can download the certificate using a web browser, or a tool like wget.

2.) Verify the authenticity of the AusCERT CA SSL certificate

It is crucial that you verify that the SSL certificate you have downloaded is really the AusCERT CA certificate.  To help you verify this, we have put a copy of the check sums for the certificate in this article.


Here are the MD5 and SHA1 check sums for the AusCERT CA SSL certificate:

MD5 = 01b51a12f1b413168610155e447a68c8
SHA1 = e0d026c7a8fb4182e643e25f9c66b35e5a86db1d

You can verify these check sums using utilities like md5sum and sha1sum on Linux, or md5 and shasum, for Mac OS X.

3.) Back up your JVM SSL key store before making any changes.

The location of the SSL key store will depend on the operating system and JVM that you are using.  On RHEL 6/CentOS 6 with the OpenJDK 6, the key store is in the file /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacert with a symbolic link to this file in /etc/pki/java/cacerts.


It is a very good idea to take a copy of the key store before you modify it.  If any errors are introduced after you modify the key store, you can just copy the old file back in place and restart tomcat, and this will restore your old key store.

So make a back up copy of your old SSL key store.

cp /etc/pki/java/cacerts /etc/pki/java/cacerts.bak



3.) Import the PEM encoded SSL certificate into key store for your JVM.

keytool -alias AusCERT-Server-CA -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -file AusCERTServerCA.crt



If you receive a warning that the keystore already contains that certificate, then you don't need to import it again, and you can answer "no" (this is the default).

4.) Restart your tomcat instance

service tomcat6 restart



This will make tomcat reload the JVM's updated SSL key store.

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk