== [[/|Projects]] / IAM Project SSL Certs == This page describes the various SSL certs used in IAM infrastructure, their purpose, installed locations, and expiration dates. == !Host/Cert Matrix == ||= Cert =||= Type =||= Purpose =||= Installed =||=File Path=||= Expiration =|| ||idp.alaska.edu||!InCommon||Shibboleth Front Channel||Howkan, Heald, Hanin|| ||2013/09/11|| ||idp.alaska.edu||Self Signed||Shibboleth Back Channel||Howkan, Heald, Hanin||/opt/shibboleth-idp/metadata/InCommon-metadata.xml ||2014/07/06|| ||edir.alaska.edu||!InCommon||EDIR LDAP Web/LDAP Interfaces||Eklutna, Edgar, Egegik, Elias, idmp![0-7]|| ||2015/02/05|| ||edir.alaska.edu||UA-OIT||EDIR LDAP Web/LDAP Interfaces||Eklutna|| ||2009/09/19|| ||edir.alaska.edu||UA-OIT||EDIR LDAP Web/LDAP Interfaces||Edgar|| ||2009/12/22|| ||edir.alaska.edu||UA-OIT||EDIR LDAP Web/LDAP Interfaces||Egegik|| ||2009/12/15|| ||edir.alaska.edu||UA-OIT||EDIR LDAP Web/LDAP Interfaces||Elias|| ||2009/07/01|| ||idmq![1-2].alaska.edu||!InCommon||UAOnline LDAP/PSP Interfaces||idmq![1-2]|| ||2013/10/04|| ||authserv.alaska.edu||!InCommon||!AuthServ Web Interface||Eklutna, Edgar, Egegik, Elias|| ||2013/08/15|| ||casshib.alaska.edu||!InCommon||CASSHIB Web Interface||Alligator|| /etc/httpd/certs.local/casshib.crt ||2013/10/25|| ||casshib.alaska.edu||!InCommon||CASSHIB Web Interface||Amazon||/etc/pki/tls/certs/casshib.crt ||2013/10/25|| ||nah.alaska.edu||!InCommon||Radius Web Interface||Nah||/etc/pki/tls/certs/server.crt ||2016/02/06|| ||nadina.alaska.edu||!InCommon||Radius Web Interface||Nadina|| ||2013/09/16|| ||iam.alaska.edu||!InCommon||IAM Wiki||Iron, Inner|| ||2013/06/06|| ||people.alaska.edu||!InCommon||People (& Department) Search||pyrite, patton, nowhere|| ||2014/02/18|| ||cas.alaska.edu||!InCommon||CAS Service Registry|| pending || ||pending|| ||cas.alaska.edu||UA-OIT Windows AD root||CAS AD Authentication|| pending || ||pending|| ||cas.alaska.edu||UA-OIT Windows AD PROD||CAS AD Authentication ||pending || ||pending|| ||cas-lrgp.alaska.edu||!InCommon||CAS Service Registry||agouti||/fs/cas/private/cas-lrgp.jks||checking|| ||cas-lrgp.alaska.edu||UA-OIT Windows AD root||CAS AD Authentication||agouti||/fs/cas/private/cas-lrgp.jks ||checking|| ||cas-lrgp.alaska.edu||UA-OIT Windows AD LRGP||CAS AD Authentication||agouti||/fs/cas/private/cas-lrgp.jks ||checking|| ||cas-test.alaska.edu||!InCommon||CAS Service Registry||anteater||/fs/cas/private/cas-test.jks ||checking|| ||cas-test.alaska.edu||UA-OIT Windows AD root||CAS AD Authentication||anteater||/fs/cas/private/cas-test.jks ||checking|| ||cas-test.alaska.edu||UA-OIT Windows AD TEST||CAS AD Authentication||anteater||/fs/cas/private/cas-test.jks ||checking|| ||cas-dev.alaska.edu||!InCommon||CAS Service Registry||anaconda|| ||checking|| ||cas-dev.alaska.edu||UA-OIT Windows AD root||CAS AD Authentication||anaconda|| ||checking|| ||cas-dev.alaska.edu||UA-OIT Windows AD TEST||CAS AD Authentication||anaconda|| ||checking|| ||cas-prep.alaska.edu||pending||pending||pending||pending||pending|| ||cas-regx.alaska.edu||pending||pending||pending||pending||pending|| NOTES: * For CAS certificate installation procedures, see [[https://iam.alaska.edu/beis/wiki/CertsForCAS|Trusted Certificates for Successful CAS Authentication at UA]] * The following procedure was followed to determine the status of certificates on each server. Using the command shown below, OpenSSL commands were issued to each functional identity, followed by an OpenSSL command to the actual server host name. I.e., idp.alaska.edu followed by hanin.alaska.edu, heald.alaska.edu, and howkan.alaska.edu. * The following hosts have updated certificates using OpenSSL but outdated certificate files: hanin, howkan, heald (May 19 12:58:29 2012 GMT) * The following hosts had different Certificate responses from their !InCommon identity, i.e., edir.alaska.edu produced the certificate shown while the following hosts associated with that domain had different certificates: Eklutna, Edgar, Egegik, Elias * The following hosts are unreachable via OpenSSL within the UA-OIT firewall network. A test must be run from within RPTP.alaska.edu: idmp[0-7], idmq[1,2], idmt[0,1], Inner, Pyrite, Patton, Nowhere * Via OpenSSL, Amazon provides the same certificate as alligator.alaska.edu and idp.alaska.edu. The location of the CRT however, is unknown. The certificate expiration date provided at /etc/httpd/certs/amazon-casshib.crt is 2012/09/29. == Quick SSL Cert How Tos == * Generate CSR and submit request to !InCommon Cert Service 1. Generate CSR with OpenSSL {{{ john@fearless:~/Documents/Security/Certs$ openssl req -new -newkey rsa:2048 -nodes -keyout idmq-2.alaska.edu.key -out idmq-2.alaska.edu.csr }}} Use the following values: {{{ OU = OIT Identity and Access Management O = University of Alaska Statewide System L = Fairbanks ST = AK C = US CN=somehost.alaska.edu/emailAddress=iam@alaska.edu }}} 2. Submit CSR[[br]] https://cert-manager.com/customer/InCommon/ssl?action=enroll 3. Use IAM credentials for submission[[br]] [[raw-attachment:iam_incommon_pin.asc|IAM Credentials]][[BR]] * Get subject, issuer, and expiration date from a server. {{{ john@fearless:~$ openssl s_client -host idp.alaska.edu -port 443 2>&1 | openssl x509 -subject -issuer -enddate | head -n 3 subject= /C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu issuer= /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA notAfter=Sep 11 23:59:59 2013 GMT }}} * Verify certificate chain with CA root public cert: {{{ john@fearless:~$ openssl s_client -CAfile /home/john/Desktop/AddTrustExternalCARoot.crt -showcerts -verify 5 -host idp.alaska.edu -port 443 verify depth is 5 CONNECTED(00000003) depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify return:1 depth=1 /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA verify return:1 depth=0 /C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA -----BEGIN CERTIFICATE----- MIIFLjCCBBagAwIBAgIRAL7m1JR/Jf3um7I+F/71p7wwDQYJKoZIhvcNAQEFBQAw UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTAeFw0xMTA5MTIwMDAw MDBaFw0xMzA5MTEyMzU5NTlaMIGkMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQUsx EjAQBgNVBAcTCUZhaXJiYW5rczEuMCwGA1UEChMlVW5pdmVyc2l0eSBvZiBBbGFz a2EgU3RhdGV3aWRlIFN5c3RlbTErMCkGA1UECxMiT0lUIElkZW50aXR5IGFuZCBB Y2Nlc3MgTWFuYWdlbWVudDEXMBUGA1UEAxMOaWRwLmFsYXNrYS5lZHUwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFJjT7PCqiV9QFBb1ba/CSLhJssdA9 KNRVoYX1U5Y6v00RwGMD2tcNsf19atF6wQm4yOfd8LODYtE4ol8Z+K0QJyTrxYFK 1raWhoBvIvGK63KFNoJXqZkFWlKGx7ZQF6iln5hKfewg///U88p0Jk+ABj25h+kn JWFLi4QfFRWBH1+TljJ7b8KrVd3cLEMSDXwJ4u+55sPir+2z35BnDiTEPSFZvkeW ZmPkt7MvogpuE0wrW+j9bP1XHUBlirgwuk4fsojDje8ith2IjVhgJvDOpEqWdHKk uySVBNZq2H+MCiyZkc1LOXGoZPGGJV/J3xtfd8P/NnEHqzNiPU4D3B7lAgMBAAGj ggGrMIIBpzAfBgNVHSMEGDAWgBRIT1r6L0qaXuBQ82t7VaXe9b40XTAdBgNVHQ4E FgQUuJn+DjbTLCmjkKczw6S1uR0kEj4wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMF0GA1UdIARWMFQw UgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29t bW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwPQYDVR0fBDYwNDAy oDCgLoYsaHR0cDovL2NybC5pbmNvbW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5j cmwwbwYIKwYBBQUHAQEEYzBhMDkGCCsGAQUFBzAChi1odHRwOi8vY2VydC5pbmNv bW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6 Ly9vY3NwLmluY29tbW9uLm9yZzAZBgNVHREEEjAQgg5pZHAuYWxhc2thLmVkdTAN BgkqhkiG9w0BAQUFAAOCAQEANBzYIHpPnRIOxQsBfAgUxYKao91pQJ9GlWouZuco qHekBVVjsaXTpNPd2iXAa27seBbi8sX9GW08Rp/mZHEwFGs/Dt0IdTZ9+I5YAQAb 98j7IDUEIxqC4w5KS3iQEBELfVwKRT77QNz3HPA9igGzNzXK0C1SCMNaifc1rCdq 1zqqgmZ8tiOYGgGIL1uT2hXDK5vNlT7vHo5RsQQUAC2mfT5X8byoeB6ZMGg7nFZa JrELkNrkeEwkKJiK+57h39vAVuYcchTYZG8fy0A7RZOrl5u16N2aPTIt+vbh4kc7 3rnuM0XiHDr2OEbFZfjtVP9duJKGpDaQCOfOJQI1kG6cRg== -----END CERTIFICATE----- 1 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -----BEGIN CERTIFICATE----- MIIEwzCCA6ugAwIBAgIQf3HB06ImsNKxE/PmgWdkPjANBgkqhkiG9w0BAQUFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTEwMTIwNzAwMDAwMFoXDTIwMDUzMDEwNDgzOFow UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAJd8x8j+s+kgaqOkT46ONFYGs3psqhCbSGErNpBp 4zQKR6e7e96qavvrgpWPyh1/r3WmqEzaIGdhGg2GwcrBh6+sTuTeYhsvnbGYr8YB +xdw26wUWexvPzN/ppgL5OI4r/V/hW0OdASd9ieGx5uP53EqCPQDAkBjJH1AV49U 4FR+thNIYfHezg69tvpNmLLZDY15puCqzQyRmqXfq3O7yhR4XEcpocrFup/H2mD3 /+d/8tnaoS0PSRan0wCSz4pH2U341ZVm03T5gGMAT0yEFh+z9SQfoU7e6JXWsgsJ iyxrx1wvjGPJmctSsWJ7cwFif2Ns2Gig7mqojR8p89AYrK0CAwEAAaOCAXcwggFz MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBRIT1r6 L0qaXuBQ82t7VaXe9b40XTAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB /wIBADARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov L2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMIGz BggrBgEFBQcBAQSBpjCBozA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1 c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QucDdjMDkGCCsGAQUFBzAChi1o dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RVVE5TR0NDQS5jcnQwJQYI KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEF BQADggEBAJNmIYB0RYVLwqvOMrAp/t3f1iRbvwNqb1A+DhuzDYijW+7EpBI7Vu8G f89/IZVWO0Ex/uGqk9KV85UNPEerylwmrT7x+Yw0bhG+9GfjAkn5pnx7ZCXdF0by UOPjCiE6SSTNxoRlaGdosEUtR5nNnKuGKRFy3NacNkN089SXnlag/l9AWNLV1358 xY4asgRckmYOha0uBs7Io9jrFCeR3s8XMIFTtmYSrTfk9e+WXCAONumsYn0ZgYr1 kGGmSavOPN/mymTugmU5RZUWukEGAJi6DFZh5MbGhgHPZqkiKQLWPc/EKo2Z3vsJ FJ4O0dXG14HdrSSrrAcF4h1ow3BmX9M= -----END CERTIFICATE----- 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu issuer=/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA --- No client certificate CA names sent --- SSL handshake has read 4348 bytes and written 279 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 4E8368600B06F46B5B2E80574C2AF7B4987EF977A950D0A515EBF6CE4EA5E4F2 Session-ID-ctx: Master-Key: 18E20D11AD058288CCD57C0F77F0349442426F8880F112E596E65A3F84FCEAD90C0991EEC9EA2DF8ABA0BAC93F2E9FD0 Key-Arg : None Start Time: 1317234784 Timeout : 300 (sec) Verify return code: 0 (ok) --- }}}