For backwards compatibility only, this page and the list of accepted root CA certificates is still supported for existing installations. However, this list of CAs is frozen and its use is deprecated as of September 2008.
In addition to the Federation Metadata, Identity Providers have to update the CA root certificates accepted by the SWITCHaai or the AAI Test Federation.
When a Service Provider fetches the attributes from a user's Identity Provider, the CA root certificates enable the Attribute Authority (AA) to perform client authentication, which is required to do proper ARP processing.
Depending on what you have installed, you will have to update Apache's
CA-bundle or Tomcat's Java keystore for the CA certificates.
In httpd.conf, the configuration variables SSLCACertificatePath or
SSLCACertificateFile point to the CA root certificates file(s) used for SSL
encryption. Typically there's a certificate bundle file (go to the certificates page to get this file).
It contains the CA root certificates used as trust anchors for the SWITCHaai
federation. For details refer to the IdP Deployment Guide for Tomcat with Apache.
In Tomcat, you have (at least) two options to use the CA root certificates:
A ready-made truststore.jks with the CA root certificates used in SWITCHaai can be downloaded here.
In both cases, new cacerts can be added with Java's keytool utility (with superuser rights).
# keytool -import -v -trustcacerts -alias <cacertificatealias> \ -file certificatefile.crt -storepass STOREPASS \ -keystore truststore.jks
Substitute STOREPASS with your password for the truststore. If you omit the keystore option, the CA certificates gets imported into Java's default keystore, the cacerts file, which has the password "changeit".
To start with an empty keystore, create one by typing the following lines:
# keytool -genkey -alias foo -keystore truststore.jks # keytool -delete -alias foo -keystore truststore.jks
The following lines show how to get, check and add all the accepted CA root certificates to a keystore file named truststore.jks. "keytool" may notify you that the imported certificates already exist in the system-wide CA keystore. If you use your own keystore for the CA root certs, just say "yes".
# wget http://www.switch.ch/aai/docs/ca-certs/swisssignca.PEM.crt # wget http://www.switch.ch/aai/docs/ca-certs/tctrustcenterclass2ca.PEM.crt # wget http://www.switch.ch/aai/docs/ca-certs/tctrustcenterclass3ca.PEM.crt # wget http://www.switch.ch/aai/docs/ca-certs/thawteserverca.PEM.crt # wget http://www.switch.ch/aai/docs/ca-certs/thawtepremiumserverca.PEM.crt # wget http://www.switch.ch/aai/docs/ca-certs/verisignclass3ca.PEM.crt # wget http://www.switch.ch/aai/docs/ca-certs/epfl.PEM.crt # wget http://www.switch.ch/aai/docs/ca-certs/gtecybertrustglobalroot.PEM.crt # keytool -import -v -trustcacerts -alias swisssignca \ -file ./swisssignca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias tctrustcenterclass2ca \ -file ./tctrustcenterclass2ca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias tctrustcenterclass3ca \ -file ./tctrustcenterclass3ca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias thawteserverca \ -file ./thawteserverca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias thawtepremiumserverca \ -file ./thawtepremiumserverca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias verisignclass3ca \ -file ./verisignclass3ca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias epflca \ -file ./epfl.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias gtecybertrustglobalca \ -file ./gtecybertrustglobalroot.PEM.crt -keystore ./truststore.jks