wiki:IamProjectCerts
Last modified 7 years ago Last modified on 07/23/13 18:31:40

Projects / IAM Project SSL Certs

This page describes the various SSL certs used in IAM infrastructure, their purpose, installed locations, and expiration dates. See Certificate Management for certificate alias names, useful keytool commands and references to certificates attached for IAM supported applications.

Cert Type Purpose Installed File Path Expiration
idp.alaska.eduInCommonShibboleth Front ChannelHowkan, Heald, Hanin 2013/09/11
idp.alaska.eduSelf SignedShibboleth Back ChannelHowkan, Heald, Hanin/opt/shibboleth-idp/metadata/InCommon-metadata.xml 2014/07/06
edir.alaska.eduInCommonEDIR LDAP Web/LDAP InterfacesEklutna, Edgar, Egegik, Elias, idmp[0-7] 2015/02/05
edir.alaska.eduUA-OITEDIR LDAP Web/LDAP InterfacesEklutna 2009/09/19
edir.alaska.eduUA-OITEDIR LDAP Web/LDAP InterfacesEdgar 2009/12/22
edir.alaska.eduUA-OITEDIR LDAP Web/LDAP InterfacesEgegik 2009/12/15
edir.alaska.eduUA-OITEDIR LDAP Web/LDAP InterfacesElias 2009/07/01
idmq[1-2].alaska.eduInCommonUAOnline LDAP/PSP Interfacesidmq[1-2] 2013/10/04
authserv.alaska.eduInCommonAuthServ Web InterfaceEklutna, Edgar, Egegik, Elias 2013/08/15
casshib.alaska.eduInCommonCASSHIB Web InterfaceAlligator /etc/httpd/certs.local/casshib.crt 2013/10/25
casshib.alaska.eduInCommonCASSHIB Web InterfaceAmazon/etc/pki/tls/certs/casshib.crt 2013/10/25
nah.alaska.eduInCommonRadius Web InterfaceNah/etc/pki/tls/certs/server.crt 2016/02/06
nadina.alaska.eduInCommonRadius Web InterfaceNadina 2013/09/16
iam.alaska.eduInCommonIAM WikiIron, Inner 2013/06/06
people.alaska.eduInCommonPeople (& Department) Searchpyrite, patton, nowhere 2014/02/18
cas.alaska.eduInCommonCAS Service Registry pending pending
cas.alaska.eduUA-OIT Windows AD rootCAS AD Authentication pending pending
cas.alaska.eduUA-OIT Windows AD PRODCAS AD Authentication pending pending
cas-lrgp.alaska.eduInCommonCAS Service Registryagouti/fs/cas/private/cas-lrgp.jks2028/12/31
cas-lrgp.alaska.eduUA-OIT Windows AD rootCAS AD Authenticationagouti/fs/cas/private/cas-lrgp.jks 2022/03/18
cas-lrgp.alaska.eduUA-OIT Windows AD LRGPCAS AD Authenticationagouti/fs/cas/private/cas-lrgp.jks 2015/07/16
cas-test.alaska.eduInCommonCAS Service Registryanteater/fs/cas/private/cas-test.jks 2028/12/31
cas-test.alaska.eduUA-OIT Windows AD rootCAS AD Authenticationanteater/fs/cas/private/cas-test.jks 2022/11/12
cas-test.alaska.eduUA-OIT Windows AD TESTCAS AD Authenticationanteater/fs/cas/private/cas-test.jks 2014/02/19
cas-dev.alaska.eduInCommonCAS Service Registryanaconda/usr/lib/jvm/java/jre/lib/security/cacerts 2028/12/31
cas-dev.alaska.eduUA-OIT Windows AD rootCAS AD Authenticationanaconda/usr/lib/jvm/java/jre/lib/security/cacerts 2022/11/12
cas-dev.alaska.eduUA-OIT Windows AD TESTCAS AD Authenticationanaconda/usr/lib/jvm/java/jre/lib/security/cacerts 2014/02/19
cas-prep.alaska.edupendingpendingpendingpendingpending
cas-regx.alaska.edupendingpendingpendingpendingpending

NOTES:

  • For CAS certificate installation procedures, see Trusted Certificates for Successful CAS Authentication at UA
  • The following procedure was followed to determine the status of certificates on each server. Using the command shown below, OpenSSL commands were issued to each functional identity, followed by an OpenSSL command to the actual server host name. I.e., idp.alaska.edu followed by hanin.alaska.edu, heald.alaska.edu, and howkan.alaska.edu.
  • The following hosts have updated certificates using OpenSSL but outdated certificate files: hanin, howkan, heald (May 19 12:58:29 2012 GMT)
  • The following hosts had different Certificate responses from their InCommon identity, i.e., edir.alaska.edu produced the certificate shown while the following hosts associated with that domain had different certificates: Eklutna, Edgar, Egegik, Elias
  • The following hosts are unreachable via OpenSSL within the UA-OIT firewall network. A test must be run from within RPTP.alaska.edu: idmp[0-7], idmq[1,2], idmt[0,1], Inner, Pyrite, Patton, Nowhere
  • Via OpenSSL, Amazon provides the same certificate as alligator.alaska.edu and idp.alaska.edu. The location of the CRT however, is unknown. The certificate expiration date provided at /etc/httpd/certs/amazon-casshib.crt is 2012/09/29.

Quick SSL Cert How Tos

  • Generate CSR and submit request to InCommon Cert Service
    1. Generate CSR with OpenSSL
      john@fearless:~/Documents/Security/Certs$ openssl req -new -newkey rsa:2048 -nodes -keyout idmq-2.alaska.edu.key -out idmq-2.alaska.edu.csr
      
      Use the following values:
      OU = OIT Identity and Access Management
      O = University of Alaska Statewide System
      L = Fairbanks
      ST = AK
      C = US
      CN=somehost.alaska.edu/emailAddress=iam@alaska.edu
      
    2. Submit CSR
      https://cert-manager.com/customer/InCommon/ssl?action=enroll
    3. Use IAM credentials for submission
      IAM Credentials
  • Get subject, issuer, and expiration date from a server.
    john@fearless:~$ openssl s_client -host idp.alaska.edu -port 443 2>&1 | openssl x509 -subject -issuer -enddate | head -n 3
    subject= /C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu
    issuer= /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
    notAfter=Sep 11 23:59:59 2013 GMT
    
  • Verify certificate chain with CA root public cert:
    john@fearless:~$ openssl s_client -CAfile /home/john/Desktop/AddTrustExternalCARoot.crt -showcerts -verify 5 -host idp.alaska.edu -port 443
    verify depth is 5
    CONNECTED(00000003)
    depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    verify return:1
    depth=1 /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
    verify return:1
    depth=0 /C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu
       i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
    -----BEGIN CERTIFICATE-----
    MIIFLjCCBBagAwIBAgIRAL7m1JR/Jf3um7I+F/71p7wwDQYJKoZIhvcNAQEFBQAw
    UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D
    b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTAeFw0xMTA5MTIwMDAw
    MDBaFw0xMzA5MTEyMzU5NTlaMIGkMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQUsx
    EjAQBgNVBAcTCUZhaXJiYW5rczEuMCwGA1UEChMlVW5pdmVyc2l0eSBvZiBBbGFz
    a2EgU3RhdGV3aWRlIFN5c3RlbTErMCkGA1UECxMiT0lUIElkZW50aXR5IGFuZCBB
    Y2Nlc3MgTWFuYWdlbWVudDEXMBUGA1UEAxMOaWRwLmFsYXNrYS5lZHUwggEiMA0G
    CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFJjT7PCqiV9QFBb1ba/CSLhJssdA9
    KNRVoYX1U5Y6v00RwGMD2tcNsf19atF6wQm4yOfd8LODYtE4ol8Z+K0QJyTrxYFK
    1raWhoBvIvGK63KFNoJXqZkFWlKGx7ZQF6iln5hKfewg///U88p0Jk+ABj25h+kn
    JWFLi4QfFRWBH1+TljJ7b8KrVd3cLEMSDXwJ4u+55sPir+2z35BnDiTEPSFZvkeW
    ZmPkt7MvogpuE0wrW+j9bP1XHUBlirgwuk4fsojDje8ith2IjVhgJvDOpEqWdHKk
    uySVBNZq2H+MCiyZkc1LOXGoZPGGJV/J3xtfd8P/NnEHqzNiPU4D3B7lAgMBAAGj
    ggGrMIIBpzAfBgNVHSMEGDAWgBRIT1r6L0qaXuBQ82t7VaXe9b40XTAdBgNVHQ4E
    FgQUuJn+DjbTLCmjkKczw6S1uR0kEj4wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
    /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMF0GA1UdIARWMFQw
    UgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29t
    bW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwPQYDVR0fBDYwNDAy
    oDCgLoYsaHR0cDovL2NybC5pbmNvbW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5j
    cmwwbwYIKwYBBQUHAQEEYzBhMDkGCCsGAQUFBzAChi1odHRwOi8vY2VydC5pbmNv
    bW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6
    Ly9vY3NwLmluY29tbW9uLm9yZzAZBgNVHREEEjAQgg5pZHAuYWxhc2thLmVkdTAN
    BgkqhkiG9w0BAQUFAAOCAQEANBzYIHpPnRIOxQsBfAgUxYKao91pQJ9GlWouZuco
    qHekBVVjsaXTpNPd2iXAa27seBbi8sX9GW08Rp/mZHEwFGs/Dt0IdTZ9+I5YAQAb
    98j7IDUEIxqC4w5KS3iQEBELfVwKRT77QNz3HPA9igGzNzXK0C1SCMNaifc1rCdq
    1zqqgmZ8tiOYGgGIL1uT2hXDK5vNlT7vHo5RsQQUAC2mfT5X8byoeB6ZMGg7nFZa
    JrELkNrkeEwkKJiK+57h39vAVuYcchTYZG8fy0A7RZOrl5u16N2aPTIt+vbh4kc7
    3rnuM0XiHDr2OEbFZfjtVP9duJKGpDaQCOfOJQI1kG6cRg==
    -----END CERTIFICATE-----
     1 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
       i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    -----BEGIN CERTIFICATE-----
    MIIEwzCCA6ugAwIBAgIQf3HB06ImsNKxE/PmgWdkPjANBgkqhkiG9w0BAQUFADBv
    MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
    ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
    eHRlcm5hbCBDQSBSb290MB4XDTEwMTIwNzAwMDAwMFoXDTIwMDUzMDEwNDgzOFow
    UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D
    b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBAJd8x8j+s+kgaqOkT46ONFYGs3psqhCbSGErNpBp
    4zQKR6e7e96qavvrgpWPyh1/r3WmqEzaIGdhGg2GwcrBh6+sTuTeYhsvnbGYr8YB
    +xdw26wUWexvPzN/ppgL5OI4r/V/hW0OdASd9ieGx5uP53EqCPQDAkBjJH1AV49U
    4FR+thNIYfHezg69tvpNmLLZDY15puCqzQyRmqXfq3O7yhR4XEcpocrFup/H2mD3
    /+d/8tnaoS0PSRan0wCSz4pH2U341ZVm03T5gGMAT0yEFh+z9SQfoU7e6JXWsgsJ
    iyxrx1wvjGPJmctSsWJ7cwFif2Ns2Gig7mqojR8p89AYrK0CAwEAAaOCAXcwggFz
    MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBRIT1r6
    L0qaXuBQ82t7VaXe9b40XTAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
    /wIBADARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov
    L2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMIGz
    BggrBgEFBQcBAQSBpjCBozA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1
    c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QucDdjMDkGCCsGAQUFBzAChi1o
    dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RVVE5TR0NDQS5jcnQwJQYI
    KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEF
    BQADggEBAJNmIYB0RYVLwqvOMrAp/t3f1iRbvwNqb1A+DhuzDYijW+7EpBI7Vu8G
    f89/IZVWO0Ex/uGqk9KV85UNPEerylwmrT7x+Yw0bhG+9GfjAkn5pnx7ZCXdF0by
    UOPjCiE6SSTNxoRlaGdosEUtR5nNnKuGKRFy3NacNkN089SXnlag/l9AWNLV1358
    xY4asgRckmYOha0uBs7Io9jrFCeR3s8XMIFTtmYSrTfk9e+WXCAONumsYn0ZgYr1
    kGGmSavOPN/mymTugmU5RZUWukEGAJi6DFZh5MbGhgHPZqkiKQLWPc/EKo2Z3vsJ
    FJ4O0dXG14HdrSSrrAcF4h1ow3BmX9M=
    -----END CERTIFICATE-----
     2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
       i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    -----BEGIN CERTIFICATE-----
    MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
    MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
    IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
    MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
    FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
    bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
    dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
    H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
    uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
    mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
    a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
    E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
    WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
    VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
    Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
    cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
    IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
    AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
    YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
    6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
    Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
    c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
    mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu
    issuer=/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 4348 bytes and written 279 bytes
    ---
    New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : EDH-RSA-DES-CBC3-SHA
        Session-ID: 4E8368600B06F46B5B2E80574C2AF7B4987EF977A950D0A515EBF6CE4EA5E4F2
        Session-ID-ctx: 
        Master-Key: 18E20D11AD058288CCD57C0F77F0349442426F8880F112E596E65A3F84FCEAD90C0991EEC9EA2DF8ABA0BAC93F2E9FD0
        Key-Arg   : None
        Start Time: 1317234784
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    

Attachments