Actions
Bug #5997
closedRestrict KNB trusted CAs
Start date:
06/05/2013
Due date:
% Done:
0%
Estimated time:
Bugzilla-Id:
Description
Instead of trusting all commercial CAs, the KNB Member Node should only trust the DataONE and CILogon certificate authorities.
To see a list of all them that are (currently) trusted:
openssl s_client -connect knb.ecoinformatics.org:443
Updated by ben leinfelder over 11 years ago
We should be able to simply use the DataONE chain file that we have installed already:
SSLCACertificatePath /etc/ssl/certs/ SSLCACertificateFile /etc/ssl/certs/DataONECAChain.crt
(i.e., comment out the first line)
Updated by ben leinfelder over 11 years ago
- Status changed from New to Closed
Commented out the line that includes all CAs in /etc/ssl/certs and reloaded Apache. Now we are down to the short list of accepted CAs.
Actions