Projects / IAM Project SSL Certs
This page describes the various SSL certs used in IAM infrastructure, their purpose, installed locations, and expiration dates.
Host/Cert Matrix
Cert | Type | Purpose | Installed | File Path | Expiration
|
---|
idp.alaska.edu | InCommon | Shibboleth Front Channel | Howkan, Heald, Hanin | | 2013/09/11
|
idp.alaska.edu | Self Signed | Shibboleth Back Channel | Howkan, Heald, Hanin | | 2014/07/06
|
edir.alaska.edu | InCommon | EDIR LDAP Web/LDAP Interfaces | Eklutna, Edgar, Egegik, Elias, idmp[0-7] | | 2015/02/05
|
edir.alaska.edu | InCommon | EDIR LDAP Web/LDAP Interfaces | Eklutna | | 2009/09/19
|
edir.alaska.edu | InCommon | EDIR LDAP Web/LDAP Interfaces | Edgar | | 2009/12/22
|
edir.alaska.edu | InCommon | EDIR LDAP Web/LDAP Interfaces | Egegik | | 2009/12/15
|
edir.alaska.edu | InCommon | EDIR LDAP Web/LDAP Interfaces | Elias | | 2009/07/1
|
idmq[1-2].alaska.edu | InCommon | UAOnline LDAP/PSP Interfaces | idmq[1-2] | | 2013/10/04
|
authserv.alaska.edu | InCommon | AuthServ Web Interface | Eklutna, Edgar, Egegik, Elias | | 2013/08/15
|
casshib.alaska.edu | InCommon | CASSHIB Web Interface | Alligator | /etc/httpd/certs.local/casshib.crt | 2013/10/25
|
casshib.alaska.edu | InCommon | CASSHIB Web Interface | Amazon | /etc/httpd/certs/amazon-casshib.crt | 2012/09/29
|
nah.alaska.edu | InCommon | Radius Web Interface | Nah | | 2013/02/09
|
nadina.alaska.edu | InCommon | Radius Web Interface | Nadina | | 2013/02/09
|
iam.alaska.edu | InCommon | IAM Wiki | Iron, Inner | | 2013/06/06
|
people.alaska.edu | InCommon? | People (& Department) Search | pyrite, patton, nowhere | | ??
|
Quick SSL Cert How Tos
- Generate CSR and submit request to InCommon Cert Service
- Generate CSR with OpenSSL
john@fearless:~/Documents/Security/Certs$ openssl req -new -newkey rsa:2048 -nodes -keyout idmq-2.alaska.edu.key -out idmq-2.alaska.edu.csr
Use the following values:
OU = OIT Identity and Access Management
O = University of Alaska Statewide System
L = Fairbanks
ST = AK
C = US
CN=somehost.alaska.edu/emailAddress=iam@alaska.edu
- Submit CSR
https://cert-manager.com/customer/InCommon/ssl?action=enroll
- Use IAM credentials for submission
IAM Credentials
- Get subject, issuer, and expiration date from a server.
john@fearless:~$ openssl s_client -host idp.alaska.edu -port 443 2>&1 | openssl x509 -subject -issuer -enddate | head -n 3
subject= /C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu
issuer= /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
notAfter=Sep 11 23:59:59 2013 GMT
- Verify certificate chain with CA root public cert:
john@fearless:~$ openssl s_client -CAfile /home/john/Desktop/AddTrustExternalCARoot.crt -showcerts -verify 5 -host idp.alaska.edu -port 443
verify depth is 5
CONNECTED(00000003)
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=1 /C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
verify return:1
depth=0 /C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu
i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgIRAL7m1JR/Jf3um7I+F/71p7wwDQYJKoZIhvcNAQEFBQAw
UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D
b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTAeFw0xMTA5MTIwMDAw
MDBaFw0xMzA5MTEyMzU5NTlaMIGkMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQUsx
EjAQBgNVBAcTCUZhaXJiYW5rczEuMCwGA1UEChMlVW5pdmVyc2l0eSBvZiBBbGFz
a2EgU3RhdGV3aWRlIFN5c3RlbTErMCkGA1UECxMiT0lUIElkZW50aXR5IGFuZCBB
Y2Nlc3MgTWFuYWdlbWVudDEXMBUGA1UEAxMOaWRwLmFsYXNrYS5lZHUwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFJjT7PCqiV9QFBb1ba/CSLhJssdA9
KNRVoYX1U5Y6v00RwGMD2tcNsf19atF6wQm4yOfd8LODYtE4ol8Z+K0QJyTrxYFK
1raWhoBvIvGK63KFNoJXqZkFWlKGx7ZQF6iln5hKfewg///U88p0Jk+ABj25h+kn
JWFLi4QfFRWBH1+TljJ7b8KrVd3cLEMSDXwJ4u+55sPir+2z35BnDiTEPSFZvkeW
ZmPkt7MvogpuE0wrW+j9bP1XHUBlirgwuk4fsojDje8ith2IjVhgJvDOpEqWdHKk
uySVBNZq2H+MCiyZkc1LOXGoZPGGJV/J3xtfd8P/NnEHqzNiPU4D3B7lAgMBAAGj
ggGrMIIBpzAfBgNVHSMEGDAWgBRIT1r6L0qaXuBQ82t7VaXe9b40XTAdBgNVHQ4E
FgQUuJn+DjbTLCmjkKczw6S1uR0kEj4wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMF0GA1UdIARWMFQw
UgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29t
bW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwPQYDVR0fBDYwNDAy
oDCgLoYsaHR0cDovL2NybC5pbmNvbW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5j
cmwwbwYIKwYBBQUHAQEEYzBhMDkGCCsGAQUFBzAChi1odHRwOi8vY2VydC5pbmNv
bW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6
Ly9vY3NwLmluY29tbW9uLm9yZzAZBgNVHREEEjAQgg5pZHAuYWxhc2thLmVkdTAN
BgkqhkiG9w0BAQUFAAOCAQEANBzYIHpPnRIOxQsBfAgUxYKao91pQJ9GlWouZuco
qHekBVVjsaXTpNPd2iXAa27seBbi8sX9GW08Rp/mZHEwFGs/Dt0IdTZ9+I5YAQAb
98j7IDUEIxqC4w5KS3iQEBELfVwKRT77QNz3HPA9igGzNzXK0C1SCMNaifc1rCdq
1zqqgmZ8tiOYGgGIL1uT2hXDK5vNlT7vHo5RsQQUAC2mfT5X8byoeB6ZMGg7nFZa
JrELkNrkeEwkKJiK+57h39vAVuYcchTYZG8fy0A7RZOrl5u16N2aPTIt+vbh4kc7
3rnuM0XiHDr2OEbFZfjtVP9duJKGpDaQCOfOJQI1kG6cRg==
-----END CERTIFICATE-----
1 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIEwzCCA6ugAwIBAgIQf3HB06ImsNKxE/PmgWdkPjANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTEwMTIwNzAwMDAwMFoXDTIwMDUzMDEwNDgzOFow
UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D
b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJd8x8j+s+kgaqOkT46ONFYGs3psqhCbSGErNpBp
4zQKR6e7e96qavvrgpWPyh1/r3WmqEzaIGdhGg2GwcrBh6+sTuTeYhsvnbGYr8YB
+xdw26wUWexvPzN/ppgL5OI4r/V/hW0OdASd9ieGx5uP53EqCPQDAkBjJH1AV49U
4FR+thNIYfHezg69tvpNmLLZDY15puCqzQyRmqXfq3O7yhR4XEcpocrFup/H2mD3
/+d/8tnaoS0PSRan0wCSz4pH2U341ZVm03T5gGMAT0yEFh+z9SQfoU7e6JXWsgsJ
iyxrx1wvjGPJmctSsWJ7cwFif2Ns2Gig7mqojR8p89AYrK0CAwEAAaOCAXcwggFz
MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBRIT1r6
L0qaXuBQ82t7VaXe9b40XTAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBADARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov
L2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMIGz
BggrBgEFBQcBAQSBpjCBozA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1
c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QucDdjMDkGCCsGAQUFBzAChi1o
dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RVVE5TR0NDQS5jcnQwJQYI
KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEF
BQADggEBAJNmIYB0RYVLwqvOMrAp/t3f1iRbvwNqb1A+DhuzDYijW+7EpBI7Vu8G
f89/IZVWO0Ex/uGqk9KV85UNPEerylwmrT7x+Yw0bhG+9GfjAkn5pnx7ZCXdF0by
UOPjCiE6SSTNxoRlaGdosEUtR5nNnKuGKRFy3NacNkN089SXnlag/l9AWNLV1358
xY4asgRckmYOha0uBs7Io9jrFCeR3s8XMIFTtmYSrTfk9e+WXCAONumsYn0ZgYr1
kGGmSavOPN/mymTugmU5RZUWukEGAJi6DFZh5MbGhgHPZqkiKQLWPc/EKo2Z3vsJ
FJ4O0dXG14HdrSSrrAcF4h1ow3BmX9M=
-----END CERTIFICATE-----
2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=AK/L=Fairbanks/O=University of Alaska Statewide System/OU=OIT Identity and Access Management/CN=idp.alaska.edu
issuer=/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4348 bytes and written 279 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 4E8368600B06F46B5B2E80574C2AF7B4987EF977A950D0A515EBF6CE4EA5E4F2
Session-ID-ctx:
Master-Key: 18E20D11AD058288CCD57C0F77F0349442426F8880F112E596E65A3F84FCEAD90C0991EEC9EA2DF8ABA0BAC93F2E9FD0
Key-Arg : None
Start Time: 1317234784
Timeout : 300 (sec)
Verify return code: 0 (ok)
---