== [[https://iam.alaska.edu/projects|Projects]] / IAM Project SSL Certs == This page describes the various SSL certs used in IAM infrastructure, their purpose, installed locations, and expiration dates. == Host/Cert Matrix == ||= Cert =||= Type =||= Purpose =||= Installed =||= Expiration =|| ||idp.alaska.edu||!InCommon||Shibboleth Front Channel||Howkan, Heald, Hanin||2013/09/11|| ||idp.alaska.edu||Self Signed||Shibboleth Back Channel||Howkan, Heald, Hanin||2014/07/06|| ||edir.alaska.edu||!InCommon||EDIR LDAP Web/LDAP Interfaces||Eklutna, Edgar, Egegik, Elias, idmp![0-7]||2013/02/04|| ||idmq![1-2].alaska.edu||!InCommon||UAOnline LDAP/PSP Interfaces||idmq![1-2]||TBD|| ||authserv.alaska.edu||!InCommon||!AuthServ Web Interface||Eklutna, Edgar, Egegik, Elias||2013/08/15|| ||casshib.alaska.edu||!InCommon||CASSHIB Web Interface||Amazon, Alligator||2013/10/25|| ||nah.alaska.edu||!InCommon||Radius Web Interface||Nah||2013/02/09|| ||nadina.alaska.edu||!InCommon||Radius Web Interface||Nadina||2013/02/09|| ||iam.alaska.edu||!InCommon||IAM Wiki||Iron, Inner||2013/06/06|| == Quick SSL Cert How Tos == * Generate CSR and submit request to !InCommon Cert Service 1. Generate CSR with OpenSSL {{{ john@fearless:~/Documents/Security/Certs$ openssl req -new -newkey rsa:2048 -nodes -keyout idmq-2.alaska.edu.key -out idmq-2.alaska.edu.csr }}} Use the following values: {{{ OU = OIT Identity and Access Management O = University of Alaska Statewide System L = Fairbanks ST = AK C = US CN=somehost.alaska.edu/emailAddress=iam@alaska.edu }}} 2. Submit CSR[[br]] https://cert-manager.com/customer/InCommon/ssl?action=enroll 3. Use IAM credentials for submission[[br]] [[raw-attachment:iam_incommon_pin.asc|IAM Credentials]][[BR]] * Get subject, issuer, and expiration date from a server. {{{ john@fearless:~$ openssl s_client -host idp.alaska.edu -port 443 2>&1 | openssl x509 -subject -issuer -enddate | head -n 3 subject= /C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu issuer= /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA notAfter=Sep 11 23:59:59 2013 GMT }}} * Verify certificate chain with CA root public cert: {{{ john@fearless:~$ openssl s_client -CAfile /home/john/Desktop/AddTrustExternalCARoot.crt -showcerts -verify 5 -host idp.alaska.edu -port 443 verify depth is 5 CONNECTED(00000003) depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify return:1 depth=1 /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA verify return:1 depth=0 /C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA -----BEGIN CERTIFICATE----- MIIFLjCCBBagAwIBAgIRAL7m1JR/Jf3um7I+F/71p7wwDQYJKoZIhvcNAQEFBQAw UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTAeFw0xMTA5MTIwMDAw MDBaFw0xMzA5MTEyMzU5NTlaMIGkMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQUsx EjAQBgNVBAcTCUZhaXJiYW5rczEuMCwGA1UEChMlVW5pdmVyc2l0eSBvZiBBbGFz a2EgU3RhdGV3aWRlIFN5c3RlbTErMCkGA1UECxMiT0lUIElkZW50aXR5IGFuZCBB Y2Nlc3MgTWFuYWdlbWVudDEXMBUGA1UEAxMOaWRwLmFsYXNrYS5lZHUwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFJjT7PCqiV9QFBb1ba/CSLhJssdA9 KNRVoYX1U5Y6v00RwGMD2tcNsf19atF6wQm4yOfd8LODYtE4ol8Z+K0QJyTrxYFK 1raWhoBvIvGK63KFNoJXqZkFWlKGx7ZQF6iln5hKfewg///U88p0Jk+ABj25h+kn JWFLi4QfFRWBH1+TljJ7b8KrVd3cLEMSDXwJ4u+55sPir+2z35BnDiTEPSFZvkeW ZmPkt7MvogpuE0wrW+j9bP1XHUBlirgwuk4fsojDje8ith2IjVhgJvDOpEqWdHKk uySVBNZq2H+MCiyZkc1LOXGoZPGGJV/J3xtfd8P/NnEHqzNiPU4D3B7lAgMBAAGj ggGrMIIBpzAfBgNVHSMEGDAWgBRIT1r6L0qaXuBQ82t7VaXe9b40XTAdBgNVHQ4E FgQUuJn+DjbTLCmjkKczw6S1uR0kEj4wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMF0GA1UdIARWMFQw UgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29t bW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwPQYDVR0fBDYwNDAy oDCgLoYsaHR0cDovL2NybC5pbmNvbW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5j cmwwbwYIKwYBBQUHAQEEYzBhMDkGCCsGAQUFBzAChi1odHRwOi8vY2VydC5pbmNv bW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6 Ly9vY3NwLmluY29tbW9uLm9yZzAZBgNVHREEEjAQgg5pZHAuYWxhc2thLmVkdTAN BgkqhkiG9w0BAQUFAAOCAQEANBzYIHpPnRIOxQsBfAgUxYKao91pQJ9GlWouZuco qHekBVVjsaXTpNPd2iXAa27seBbi8sX9GW08Rp/mZHEwFGs/Dt0IdTZ9+I5YAQAb 98j7IDUEIxqC4w5KS3iQEBELfVwKRT77QNz3HPA9igGzNzXK0C1SCMNaifc1rCdq 1zqqgmZ8tiOYGgGIL1uT2hXDK5vNlT7vHo5RsQQUAC2mfT5X8byoeB6ZMGg7nFZa JrELkNrkeEwkKJiK+57h39vAVuYcchTYZG8fy0A7RZOrl5u16N2aPTIt+vbh4kc7 3rnuM0XiHDr2OEbFZfjtVP9duJKGpDaQCOfOJQI1kG6cRg== -----END CERTIFICATE----- 1 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -----BEGIN CERTIFICATE----- MIIEwzCCA6ugAwIBAgIQf3HB06ImsNKxE/PmgWdkPjANBgkqhkiG9w0BAQUFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTEwMTIwNzAwMDAwMFoXDTIwMDUzMDEwNDgzOFow UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAJd8x8j+s+kgaqOkT46ONFYGs3psqhCbSGErNpBp 4zQKR6e7e96qavvrgpWPyh1/r3WmqEzaIGdhGg2GwcrBh6+sTuTeYhsvnbGYr8YB +xdw26wUWexvPzN/ppgL5OI4r/V/hW0OdASd9ieGx5uP53EqCPQDAkBjJH1AV49U 4FR+thNIYfHezg69tvpNmLLZDY15puCqzQyRmqXfq3O7yhR4XEcpocrFup/H2mD3 /+d/8tnaoS0PSRan0wCSz4pH2U341ZVm03T5gGMAT0yEFh+z9SQfoU7e6JXWsgsJ iyxrx1wvjGPJmctSsWJ7cwFif2Ns2Gig7mqojR8p89AYrK0CAwEAAaOCAXcwggFz MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBRIT1r6 L0qaXuBQ82t7VaXe9b40XTAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB /wIBADARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov L2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMIGz BggrBgEFBQcBAQSBpjCBozA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1 c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QucDdjMDkGCCsGAQUFBzAChi1o dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RVVE5TR0NDQS5jcnQwJQYI KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEF BQADggEBAJNmIYB0RYVLwqvOMrAp/t3f1iRbvwNqb1A+DhuzDYijW+7EpBI7Vu8G f89/IZVWO0Ex/uGqk9KV85UNPEerylwmrT7x+Yw0bhG+9GfjAkn5pnx7ZCXdF0by UOPjCiE6SSTNxoRlaGdosEUtR5nNnKuGKRFy3NacNkN089SXnlag/l9AWNLV1358 xY4asgRckmYOha0uBs7Io9jrFCeR3s8XMIFTtmYSrTfk9e+WXCAONumsYn0ZgYr1 kGGmSavOPN/mymTugmU5RZUWukEGAJi6DFZh5MbGhgHPZqkiKQLWPc/EKo2Z3vsJ FJ4O0dXG14HdrSSrrAcF4h1ow3BmX9M= -----END CERTIFICATE----- 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu issuer=/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA --- No client certificate CA names sent --- SSL handshake has read 4348 bytes and written 279 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 4E8368600B06F46B5B2E80574C2AF7B4987EF977A950D0A515EBF6CE4EA5E4F2 Session-ID-ctx: Master-Key: 18E20D11AD058288CCD57C0F77F0349442426F8880F112E596E65A3F84FCEAD90C0991EEC9EA2DF8ABA0BAC93F2E9FD0 Key-Arg : None Start Time: 1317234784 Timeout : 300 (sec) Verify return code: 0 (ok) --- }}}