This site requires JavaScript to be enabled


Intended for: Users who need to use certificates to access restricted websites

Scenario/Use case:

This article provides instructions on how to use certificates to access restricted websites.


About website security and SSL

Websites can be set up with different types and levels of security. For example, many sites require no authentication and let anyone in, others require password authentication, and still others (the kind with which we're presently concerned) use Secure Sockets Layer (SSL) and may require user certificate authentication. By convention, URLs for web sites that require an SSL connection start with https: instead of http:.

SSL is a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses public-and-private key encryption. SeaMonkey, Firefox, Internet Explorer, Chrome and other browsers support SSL.

Many websites use the SSL protocol to obtain confidential user information, such as credit card numbers. In fact if you've ever bought merchandise over the internet, the vendor site most likely established an SSL connection with your computer, and thus had to authenticate itself (via its service certificate) to your browser. Why didn't you notice anything about certificates? Because virtually all browsers these days come with a set of commonly used CA certificates prepackaged, and when the remote site establishes the SSL connection, your browser checks behind the scenes whether the service certificate presented by that site was issued by one of the CAs it trusts. Usually there is a match, and the transaction can proceed.

The CAs that Fermilab servers typically recognize, CILogon and CERN, are available only to a small (and noncommercial) segment of the population, and are not included by default in any browsers.

What do I have to do to access SSL-protected Fermilab websites?

For sites that don't require user certificate authentication:

Depending on your browser and the remote web server configuration, you may need to import the CA certificates (and associated root CAs) into your browser in order to make a successful SSL connection with one of these servers.

For sites that require user certificate authentication:

In this case you need to have the CA certificate(s) plus a personal certificate. Your valid personal certificate (e.g., a CILogon Basic CA certificate) must be loaded in your browser. When you try to access a restricted webpage your browser may prompt you to select a certificate, or may pick one by default. If it prompts you, select a valid one whose CA is trusted by the site (use the trial and error method!), and your browser will then display the page.

Some websites require you to register with them, e.g., some instances of Fermilab's DocDB. Instructions should be provided at the website.

How does SSL authentication work?

See: What is SSL and what are Certificates? for an explanation of how it works. Here is a simplified version for the case where you have to trust the remote site (e.g. before giving your credit card number):

See Also: