Trusting Certificates and How to Download CA Certificates
If you arrived here from How do I get a certificate, remember to go back there once you've gotten the information you're looking for here. We are moving info to that area, and it is newer.
PKI certificates for persons, hosts or services are issued by Certificate Authorities (CAs). For a description of the CA chain of trust, please see: CA certs and chain of trust.
Current Production OSG PKI CA certificate
The OSG PKI Certificate Authority is the DigiCert Grid Certificate Authority. The CA certificates are available at the DigiCert-Grid Repository. The section titled "DigiCert-Grid Grid-Only Trust CAs" contains the information and links for the Certificate Authority that issues the OSG PKI certiticates.
To import the OSG CA certificates into your browser, download both the Root and CA-1 in PEM format files and then go into the Certificate Manager of your browser and use the Import function. Make sure your import these certificates as Authorities. Note that the OSG CA trust chain for your personal certificate requires both the Root and CA-1 CA certiticates. OSG has added a new subordinate CA for newer certificates issued with SHA2 hashes, download and install the CA-1 G2 CA certificate in PEM format as well as the older CA-1 subordinate CA for now.
Download the DigiCert Grid Root CA Certiticate in PEM and DER (binary) formats or with hashed file name (PEM format).
DigiCert Grid Root CA CRL in DER format.
Download the DigiCert Grid CA-1 Certificate (this is a subordinate CA to the DigiCert Grid Root CA) in PEM and DER (binary) formats or with hashed file nane (PEM format).
DigiCert Grid CA-1 CRL in DER format.
Download the DigiCert Grid CA-1 G2 Certificate (this is a subordinate CA to the DigiCert Grid Root CA) in PEM and DER (binary) formats or with hashed file nane (PEM format).
DigiCert Grid CA-1 G2 CRL in DER format.
Note the downloaded PEM format files will appear with .cer file extensions (instead of .pem). The hashed file name forms will download with .0 file extensions and file names based on the certificate hash code to be used for CA trust chains in Apache.
Current Production CILogon Basic CA certificate
The CILogon CA certificates and CRLs are available from their downloads page. Explicit links are given below for the CILogon Basic CA.
Download CILogon Basic CA Certificate in PEM encoded format or in binary DER format. The hash file names for the CILogon Basic CA are 28776852 for OpenSSL 0.9 and c2868627 for OpenSSL 1.0.
CILogon Basic Certificate Revocation List (CRL) downloads in PEM and binary DER formats.
Current Production CERN Grid CA certificate
The CERN Grid CA certificates and CRLs are available from links on their Files and Documents page.
Go here to import the CERN Grid CA Certificates into your browser. If you are trying to replace existing copies of these CA certificates already in your browser, you will probably have to delete the old copies before trying to import the new ones. Note that you need to import both the CERN Root Certification Authority 2 certificate and the CERN Grid Certifiction Authority certificate. You can right click those links and choose Save As to download the CA certificates (both are in PEM-format).
You can generate the hash file name by using OpenSSL
% hashname=`openssl x509 -hash -noout -in ca-certificate-file.pem`
CERN Root CA 2 Certificate Revocation List (CRL) download in DER binary format. CERN Grid CA CRL download in DER binary format.