Fermilab Computing Division
Search
 

Issues with Expired Certificates

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access
While we were investigating problems with failures while using DOEGrids certificates to sign E-mails, we ran across a general issue with expired certificates in the certificate storage databases. This came about because the original DOEGrids CA certificate expired on 1/10/2008 but has been replaced by a longer-lived certificate (expires in 2013).  The new certificate had been loaded but the old one was not removed or replaced.  The applications then appear to use the first certificate found even it that certificate was expired.  The problem was corrected by deleting the expired DOEGrids CA certificate, leaving the newer, longer-lived CA certificate in place. Similarly, the ESnet root CA certificate was duplicated as well with two different lifetimes.  While this did not cause problems as neither ESnet root CA certificate had expired, we choose to delete the older, short-lived ESnet root CA certificate to prevent future problems.

These isssues appear in the the Mozilla (NSS) Certificate Store used by Thunderbird, Firefox, Netscape and Seamonkey as well as in the Microsoft Certificate Store under Windows used by Outlook and Internet Explorer. It is not known if similar problems exist in the Mac OS X Keychain store at this time.

Under Windows, select Internet Options from the Settings/Control Panl or from the Internet Explorer Tools menu.  In the Internet Options dialog, select the Content tab and click on the Certificates button to enter the Certificate Manager.  The ESNET Root CA certificates can be found under the Trusted Root Certificate Authorities tab and the DOEGrids CA certificates under the Intermediate Certificate Authorities tab.  Select a certificate and use the View button to verify that this is the certificate you want to delete before using the Remove button .

For the Certificate Manager under Thunderbird, Firefox, Netscape and Seamonkey you can find the ESnet and DOEGrids certificates under the Authorities tab. To get to the Certificate Manager in Thunderbird and Firebox under the Tools menu select the Options item.  In the Options dialog select the Advanced tab and click on the View Certificates button.

The Certificate Manager under Seamonkey starts from the Edit menu and the Preferences item.  Open the Privacy & Security menu by clicking on the plus sign and clikc Certificate Manager.

If you need to install the new DOEGirds or ESnet CA certificates go here and select the Retrieval tab and then the Import CA Certificate Chain menu item on the left (or you can try this link directly to the CA Chain page).  The Import the CA certificate chain into your browser button should be auto-selected so al l you need to do is click the Submit button.

Macintosh users: the DOEGrids web site will not work with the Safari browser!

The following is from an E-mail from Alan Sill to the Fermilab  Mac-Users mailing list:

A repository secured by a commercial certifcate (which should already be available in most browsers) has been setup by TACAR for the CA for E-Science projects at CERN or US projects (DOEGrids plus ESnet CA certificates).  Download the needed CA certificatres and/or install them in your browser or E-mail system.  Mac users can save the .pem file that resutls from clicks on the Install button for a given CA and then open the .pem file within their Keiychain appliction by just double-clicking on the file. Root CA certificates lilke the ESnet  Root CA should be saved to the X509Anchors portion of the Keychain and other, subordinate CA certificates can be added to the main Keychain.  This will make the CA certificates available to both Sofari and OS X Mail.

In all operating systems and programs, it makes sense to clear out old expired CA certificates from your certiticate store. Note that maintaining your brower/E-mail certificates is a separate issue from the CA certificates used by the grid middleware software package.

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; modified by FJN  on January 21, 2008.
(Address comments about page to the Computer Security Team.)