For backwards compatibility only, this page and the list of accepted root CA certificates is still supported for existing installations. However, this list of CAs is frozen and its use is deprecated as of September 2008.

Updating the CA Root Certificates (Shibboleth IdP 1.3)

In addition to the Federation Metadata, Identity Providers have to update the CA root certificates accepted by the SWITCHaai or the AAI Test Federation.

When a Service Provider fetches the attributes from a user's Identity Provider, the CA root certificates enable the Attribute Authority (AA) to perform client authentication, which is required to do proper ARP processing.
Depending on what you have installed, you will have to update Apache's CA-bundle or Tomcat's Java keystore for the CA certificates.


In httpd.conf, the configuration variables SSLCACertificatePath or SSLCACertificateFile point to the CA root certificates file(s) used for SSL encryption. Typically there's a certificate bundle file (go to the certificates page to get this file). It contains the CA root certificates used as trust anchors for the SWITCHaai federation. For details refer to the IdP Deployment Guide for Tomcat with Apache.


In Tomcat, you have (at least) two options to use the CA root certificates:

  1. The cacerts file that comes with your Java installation, a Java keystore in which the most common CA root certificates can be found.
  2. Use a special Java keystore which can be set as a JVM option

A ready-made truststore.jks with the CA root certificates used in SWITCHaai can be downloaded here.

In both cases, new cacerts can be added with Java's keytool utility (with superuser rights).

# keytool -import -v -trustcacerts -alias <cacertificatealias> \ -file certificatefile.crt -storepass STOREPASS \ -keystore truststore.jks

Substitute STOREPASS with your password for the truststore. If you omit the keystore option, the CA certificates gets imported into Java's default keystore, the cacerts file, which has the password "changeit".

Create an empty Java keystore

To start with an empty keystore, create one by typing the following lines:

# keytool -genkey -alias foo -keystore truststore.jks # keytool -delete -alias foo -keystore truststore.jks


The following lines show how to get, check and add all the accepted CA root certificates to a keystore file named truststore.jks. "keytool" may notify you that the imported certificates already exist in the system-wide CA keystore. If you use your own keystore for the CA root certs, just say "yes".

# wget # wget # wget # wget # wget # wget # wget # wget # keytool -import -v -trustcacerts -alias swisssignca \ -file ./swisssignca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias tctrustcenterclass2ca \ -file ./tctrustcenterclass2ca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias tctrustcenterclass3ca \ -file ./tctrustcenterclass3ca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias thawteserverca \ -file ./thawteserverca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias thawtepremiumserverca \ -file ./thawtepremiumserverca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias verisignclass3ca \ -file ./verisignclass3ca.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias epflca \ -file ./epfl.PEM.crt -keystore ./truststore.jks # keytool -import -v -trustcacerts -alias gtecybertrustglobalca \ -file ./gtecybertrustglobalroot.PEM.crt -keystore ./truststore.jks