Skip to topic | Skip to bottom
Home
ECS
Create personal sidebar
ECS.SslCertificatesr1.6 - 06 Aug 2007 - 16:28 - Main.erbauzatopic end
Start of topic | Skip to actions

Accessing Secure Earlham Web Sites and E-mail (Using Earlham SSL Certificates)

Earlham Computing Services runs a number of secure web services as well as secure e-mail services. The security of these services is ensured by using a certificate presented by the service to verify its authenticity and to encrypt any data sent between your computer and the service. Many Internet sites use this form of security (called SSL, for secure sockets layer) and purchase site certificates from a commercial certificate vendor. Earlham has chosen to issue its own certificates for these services rather than purchase them from elsewhere on the theory that Earlham community members will already trust the college and Computing Services, thus removing the need for a commercial entity to cerify the authenticity of the service. However, these "self-signed" certificates typically can not be verified by web browsers and other programs and require you to accept a warning message every time you connect.

This document will tell you how to download and install the master certificate (or Certificate Authority) that Earlham uses to generate and sign all of the certificates used in its online services. After installing this certificate, your web browser or e-mail program will happily connect to the Earlham secure services.

Certificate Authority Location

The master certificate, or the Earlham College Certificate Authority, can be downloaded from the web address http://www.earlham.edu/cgi-bin/loadCAcert.pl. This will be the starting point for all of the following instructions.

MacOS X

A number of programs in MacOS X use the system's Keychain functionality to verify SSL certificates. In these cases, it will be necessary to add the certificate to the system Keychain. Programs that use this method include Safari, Eudora, and MacOS X Mail.

The method of adding the certificate to the Keychain differs depending on your version of MacOS X.

Jaguar (MacOS X 10.2)

You will need to open a Terminal (command line) window in order to add the certificate to the system Keychain.

  1. Download the certificate from the location above and save it to a file called earlham-ca.pem in your home directory.
  2. Open the Terminal program (or any other command line utility).
  3. Copy the file /System/LibraryKeychains/X509Anchors to your personal Keychain folder (~/Library/Keychains) with the following command:
    • cp /System/Library/Keychains/X509Anchors ~/Library/Keychains
  4. Use the certtool program to add the Earlham College certificate to your personal Keychain:
    • certtool i earlham-ca.pem k=X509Anchors
  5. Copy the new X509Anchors file from your personal Keychain to the system Keychain (the sudo program will ask you for your password, since you are modifying the MacOS X system information):
    • sudo cp ~/Library/Keychains/X509Anchors /System/Library/Keychains/X509Anchors

After you have added the certificate to the system Keychain, you will have to restart any applications that you wish to have make use of this certificate for verifying secure services.

Panther (MacOS X 10.3)

The Panther version of the Keychain application is more intelligent than the Jaguar version. This version does not require you to open a Terminal window or use command line programs.

  1. Download the certificate from the location above and save it to a file called earlham-ca.pem in your home directory.
  2. Drag the earlham-ca.pem file to the Keychain Access application in the Finder (Keychain Access can be found in /Applications/Utilities).
  3. Tell Keychain Acccess that you wish to save this certificate in the X509Anchors keychain.
  4. Restart any applications that you wish to have use this certificate.

Windows

Internet Explorer

Eudora (version 5.x)

Eudora doesn't let you import the certificate directly; instead, you must let it try to connect and fail, then tell it to Trust the certificate in question.

  1. Click Tools, then Options.
  2. Select the Checking Mail icon.
  3. Set Secure Sockets when Sending to Required, STARTTLS.
  4. Click OK.
  5. Attempt to check your Earlham mail. The attempt will fail, with the message SSL Negotiation failed: Certificate Error: Cert Chain not trusted.
  6. Click Tools, then Options.
  7. Select the Checking Mail icon.
  8. Click the Last SSL Info button.
  9. Click the Certificate Information Manager button.
  10. Make sure that the Earlham certificate (US, Indiana, Richmond, Earlham College, Computing Services, ...) is selected, then click Add to Trusted.
  11. Click Done, OK, OK.

Others

Mozilla Firefox/Mozilla Thunderbird

  1. Click Tools, then Options.
  2. Select the Privacy icon.
  3. Select the Security tab.
  4. Click the View Certificates button.
  5. Select the Authorities tab, then click Import.
  6. Enter the Certificate Authority Location (given above) and click Open.
  7. Check all three Trust this CA to ... boxes.
  8. Click OK, OK, and OK.
Note: To use TLS to send mail from Thunderbird, you'll need to use port 587 (Tools > Account Settings > Outgoing Server (SMTP)).

Netscape and Mozilla

-- RowanLittell - 10 Feb 2004
to top

End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.6 | > | r1.5 | > | r1.4 | Total page history | Backlinks
You are here: ECS > SslCertificates

to top

Copyright © 1999-2010 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback