Project

General

Profile

Bug #5997

Restrict KNB trusted CAs

Added by ben leinfelder over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Start date:
06/05/2013
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:

Description

Instead of trusting all commercial CAs, the KNB Member Node should only trust the DataONE and CILogon certificate authorities.

To see a list of all them that are (currently) trusted:

openssl s_client -connect knb.ecoinformatics.org:443

History

#1 Updated by ben leinfelder over 7 years ago

We should be able to simply use the DataONE chain file that we have installed already:

SSLCACertificatePath /etc/ssl/certs/
SSLCACertificateFile /etc/ssl/certs/DataONECAChain.crt

(i.e., comment out the first line)

#2 Updated by ben leinfelder over 7 years ago

  • Status changed from New to Closed

Commented out the line that includes all CAs in /etc/ssl/certs and reloaded Apache. Now we are down to the short list of accepted CAs.

Also available in: Atom PDF