These instructions address issues with the importation of the OS Grid CA certificates. In some cases, the Trust settings (also known as the Certificate Purposes) of the CA certificates are not being set properly. This then causes problems when users attempt to use their personal OSG certificates (e.g. for signing email messages).
These instructions reference the OSG Grid CA certificates but may also apply to other CA certificates automatically imported into certificate stores.
The OSG CA certificates can be installed in these applications via two methods. The individual CA certificates can be downloaded as PEM-format .cer files and imported directly or they can be installed by importing the PKCS#12 package (.p12 file) your get from the OSG with your personal certificate and private key. When you import the PEM-format certificates, you are provided with a pop-up dialog to set the CA certificate trust settings (or certificate usages) but this does not happen when you import the CA certificates from the PKCS#12 file. In this second case, the trust settings must be corrected manually. The following are instructions on how to manually edit the CA certificate trust settings.
These applications do not use the operating system security store (i.e. the keychain under Mac OS X) and each application stores certificates in its private security device which are not shared with other applications.
First enter the Certificate Manager. This is done slightly differently in each application but all use the same Certificate Manager interface thereafter:
SeaMonkey: From the Edit menu, select Preferences (under the SeaMonkey menu on the Macintosh). Open the Privacy & Security category and click Certificates. In the Manage Certificates section, click Manage Certificates. Alternatively, you can select the Certificate Manager item from the Tools menu.
Firefox: From the Edit menu, select Preferences (under the Firefox menu on the Macintosh). Open the Advanced category, select the Encryption tab, and open the View Certificates item.
Thunderbird: From the Edit menu, select Preferences (under the Thunderbird menu on the Macintosh). Open the Advanced category, open the Certificates item and click on the View Certificates button.
Once you are in the Certificate Manager, the instructions are the same for all these applications:
1. In the Certificate Manager window, open the Authorities tab.
2. Look for the OSG CA certificates in the list. (DC=CILogon OSG CA) Select one of the certificates.
3. Click the Edit Trust... button at the bottom of the window.
4. In the Edit Trust Settings pop-up dialog, you should see three items listed with a check-box in front of each item.
5. All three items should be checked. If so, click Cancel and continue. Otherwise, click on each check-box and click OK. The three items control the usage of the certificates issued by the CA corresponding to the CA certificate:
- This certificate can identify websites.
- This certificate can identify mail users. (Can digitally sign E-mail)
- This certificate can identify software makers.
6. Repeat for the other CA certs as needed.
Windows stores certificates in a system-wide certificate store that is used by applications such as Internet Explorer and Outlook. Windows systems in the FERMI domain have the OSG CA certificates installed automatically by a GPO (Group Policy Object) of the domain. This ensures that Windows systems in the FERMI domain have the CA certificates installed in the correct Certificate Store and with the correct Certificate Purposes enabled. Standalone Windows 7 systems may have Issues with Certificates in Windows 7 such that a user cannot install nor use their personal certificate due, primarily, to the Root certificate not going into the correct Certificate Store. Usually, however, the CA Certificates do get installed with the correct Certificate Purposes but this setting is easily checked:
From the Start button select the Control Panel. Then select Internet Options and then the Content tab, and click the Certificates button.
- In the Certificates window, click on the Trusted Root Certification Authorities tab and select the OSG Grid Root CA certificate. Below the Import and Export buttons under the "Certificate intended purposes" should say "<All>".
- If not, click the Advanced button to open the Advanced Options window where you can click on checkboxes to enable the missing Certificate Purposes. Then click OK.
- Click on the Intermediate Certification Authorities tab and select the OSG Grid CA-1 certificate and repeat the above actions.
Macintosh OS X Keychain Files
The Macintosh OS handles certificates (and other sensitive information) using keychain files. There is information about keychain files in the standard Macintosh help files. Briefly, certificates are stored in protected keychain files. Some browsers and email applications access the certificates via these files.
The OSG CA certificates can be installed in the keychain via two methods. The individual CA certificates can be downloaded as PEM-format .cer files and imported directly or they can be installed by importing the PKCS#12 package (.p12 file) your get from the OSG with your personal certificate and private key (can be done by double-clicking on the .p12 file). When you import the PEM-format certificates, you are provided with a pop-up dialog to set the CA certificate trust settings (or certificate usages) but this does not happen when you import the CA certificates from the PKCS#12 file. In this second case, the trust settings must be corrected manually. The following are instructions on how to manually edit the CA certificate trust settings.
To manually edit the CA certificate trust setting using the Keychain Access application:
Go to Applications -> Utilities -> Keychain Access.
Select a keychain with the CA certificates (could be the login or System)
Select a OSG CA certificate, either the CA-1 or Root certificate. If the certificate icon has a small "+" imposed, then this certificate probably has the correct trust settings.
Open the certificate information window by using the File > Get Info menu or right-clicking (control-click) and selecting Get Info from the context menu. If there is a small "+" followed by This certificate is marked as trusted for this account, then this certificate has the correct trust settings.
In the certificate information window, open the Trust tab. Under When using this certificate, select Always Trust from the pulldown menu.
Close the certificate information window and repeat the steps for the other OSG CA certificate.