This site requires JavaScript to be enabled
10 views

 

Introduction

These instructions address issues with the importation of the OS Grid CA certificates.  In some cases, the Trust settings (also known as the Certificate Purposes) of the CA certificates are not being set properly. This then causes problems when users attempt to use their personal OSG certificates (e.g. for signing email messages).

These instructions reference the OSG Grid CA certificates but may also apply to other CA certificates automatically imported into certificate stores.

 

SeaMonkey Browser v2, Firefox Browser v10 and Thunderbird Mail v10 (any OS)

The OSG CA certificates can be installed in these applications via two methods.  The individual CA certificates can be downloaded as PEM-format .cer files and imported directly or they can be installed by importing  the PKCS#12 package (.p12 file) your get from the OSG with your personal certificate and private key.  When you import the PEM-format certificates, you are provided with a pop-up dialog to set the CA certificate trust settings (or certificate usages) but this does not happen when you import the CA certificates from the PKCS#12 file.  In this second case, the trust settings must be corrected manually.  The following are instructions on how to manually edit the CA certificate trust settings.

These applications do not use the operating system security store (i.e. the keychain under Mac OS X) and each application stores certificates in its private security device which are not shared with other applications.

First enter the Certificate Manager. This is done slightly differently in each application but all use the same Certificate Manager interface thereafter:

SeaMonkey: From the Edit menu, select Preferences (under the SeaMonkey menu on the Macintosh). Open the Privacy & Security category and click Certificates.  In the Manage Certificates section, click Manage Certificates.  Alternatively, you can select the Certificate Manager item from the Tools menu.

Firefox: From the Edit menu, select Preferences (under the Firefox menu on the Macintosh). Open the Advanced category, select the Encryption tab, and open the View Certificates item.

Thunderbird: From the Edit menu, select Preferences (under the Thunderbird menu on the Macintosh).  Open the Advanced category,  open the Certificates item and click on the View Certificates button.

Once you are in the Certificate Manager, the instructions are the same for all these applications:

1. In the Certificate Manager window, open the Authorities tab.

2. Look for the OSG CA certificates in the list. (DC=CILogon OSG CA) Select one of the certificates.

3. Click the Edit Trust... button at the bottom of the window.

4. In the Edit Trust Settings pop-up dialog, you should see three items listed with a check-box in front of each item.

5. All three items should be checked.  If so, click Cancel and continue.  Otherwise, click on each check-box and click OK. The three items control the usage of the certificates issued by the CA corresponding to the CA certificate:

6. Repeat for the other CA certs as needed.

 

Windows 7

Windows stores certificates in a system-wide certificate store that is used by applications such as Internet Explorer and Outlook. Windows systems in the FERMI domain have the OSG CA certificates installed automatically by a GPO (Group Policy Object) of the domain.  This ensures that Windows systems in the FERMI domain have the CA certificates installed in the correct Certificate Store and with the correct Certificate Purposes enabled. Standalone Windows 7 systems may have Issues with Certificates in Windows 7 such that a user cannot install nor use their personal certificate due, primarily, to the Root certificate not going into the correct Certificate Store.  Usually, however, the CA Certificates do get installed with the correct Certificate Purposes but this setting is easily checked:

 

Macintosh OS X Keychain Files

The Macintosh OS handles certificates (and other sensitive information) using keychain files. There is information about keychain files in the standard Macintosh help files. Briefly, certificates are stored in protected keychain files. Some browsers and email applications access the certificates via these files. 

The OSG CA certificates can be installed in the keychain via two methods.  The individual CA certificates can be downloaded as PEM-format .cer files and imported directly or they can be installed by importing the PKCS#12 package (.p12 file) your get from the OSG with your personal certificate and private key (can be done by double-clicking on the .p12 file).  When you import the PEM-format certificates, you are provided with a pop-up dialog to set the CA certificate trust settings (or certificate usages) but this does not happen when you import the CA certificates from the PKCS#12 file.  In this second case, the trust settings must be corrected manually.  The following are instructions on how to manually edit the CA certificate trust settings.

To manually edit the CA certificate trust setting using the Keychain Access application:

 

Authored by Fang Wang
Last modified 7 months ago