- User Services
- Group Services
- Scientific Computing
- Copy Services
JLab Server Certificate Renewals -- possible connection problems for browsers, subversion clients, etc.Submitted by firstname.lastname@example.org on Thu, 01/12/2017 - 10:30
A few months ago, TLS/SSL certificates for JLab internal web servers were renewed due to their imminent expiration. They are now (January/February 2017) being renewed again to upgrade them to use SHA2 Signatures, issued by our upgraded PKI. The use of SHA2 signatures for all end entity and intermediate certificates is required for all browsers and eventually other clients because the previous SHA1 signature algorithm has been effectively "broken" and is deprecated.
Automatic processes have already installed the new JLabCA root certificate on managed systems at JLab. This includes Windows domain members, Level I and II as well as "CUEified" Macs. The automated process installs the root certificate into the default locations on each platform (Windows, Linux and OS X) which makes it available to most applications on each platform, including Firefox/Thunderbird and the default Java JVM. For other applications which maintain their own key/certificate stores, users will need to install the new certificate manually.
Note that this change affects all JLab servers that use SSL/TLS, including those hosting subversion and other services. As a result, users may see warnings or failures to connect (depending on the configuration of the client application being used). To avoid these warnings, users must install the JLab PKI "root" certificate. Additional information regarding this issue and the root certificate and instructions for installing it are available at http://pki.jlab.org. As we transition all services to use these new certificates, client systems should install BOTH the new JLabCA root certificate as well as the legacy JLabWinCA root certificate.
Subversion Client Warnings
Several users have raised questions regarding the server certificates used on subversion servers recently. If the root Certificate is not installed in your subversion configuration, the subversion client generates a warning upon attempting to connect, and asks you if you wish to accept the certificate being used, either temporarily or permanently. To help you confirm that you are