| CURRENT (as of March 10, 2013) XSEDE APPROVED CAs: |
| |
| Revision History |
| ----------------- |
| 3/10/2013 [Removed retired NCSA GridShib CA; Replaced 10718cba.crl_url: new file removed http://crl.doegrids.org/cilogon-basic.crl] |
| |
| 1/30/2013 [Added DOEGrids CA S/N 0x47 valid 2002-12-5..2018-01-25 12d0da68.* 1c3f2ca8.*] |
| |
| 1/28/2013 [Removed expiring UK EScience CA 53729190.* 367b75c3.*, DOE Grids CA 12d0da68.* 1c3f2ca8.*, and SDSC NPACI CA 9117797f.* b89793e4.*] |
| |
| 1/11/2013 [Removed Decommissioned TACC CAs 9a1da9f9 and f30e4b25] |
| |
| 11/1/2012 [Removed expired UK EScience CA certs and files 367b75c3.*, corrected filenames and symlinks for UK EScience CA certs] |
| |
| 8/8/12 [Corrected issues with signing policies of the recently added UK e-science CAs 1b6f5ede and ffc3d59b] |
| |
| 7/23/12 [Added UK eScienceCA 2A and 2B Files from igtf tarball v1.48] |
| |
| 4/11/2011 [Added newly TAGPMA accredited NCSA 2-factor SLCS CA (Added to IGTF distribution 3/26/2012).] |
| |
| 1/4/2012 [Added newly TAGPMA accredited NICS MyProxy CA] |
| |
| 6/1/2011 [Added KEK GRID CA (TAGPMA Certified)] |
| |
| 5/4/2011 [Added NERSC CA (TAGPMA Certified)] |
| |
| 1/25/2011 [Added OpenSSL 1.x hash symbolic links for *.0, *.signing_policy, |
| *.info, & *.namespaces files on Jan 25 2011] |
| |
| |
| DOE SCIENCE GRID: |
| ----------------- |
| |
| Added extended CA certificate (S/N 0x47 valid 2002-12-5..2018-01-25 12d0da68.* 1c3f2ca8.*) 2013-01-30 |
| |
| Removed expired CA certificate 2013-01-28 |
| |
| [Updated signing certificates (validity dates extended) & signing_policies for DOEGrids and ESnet, and crl_url for ESnet, Nov 3, 2006] |
| [Updated CRL URL for DOEGrids CA 1, May 1, 2008 (mccreary)] |
| |
| 1c3f2ca8.0 |
| /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 |
| 1c3f2ca8.crl_url |
| http://crl.doegrids.org/1c3f2ca8/1c3f2ca8.r0 |
| 1c3f2ca8.signing_policy |
| |
| d1b603c3.0 |
| /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1 |
| d1b603c3.crl_url |
| http://www.es.net/CA/d1b603c3/d1b603c3.r0 |
| d1b603c3.signing_policy |
| |
| IRISGrid (Spain): |
| ----------------- |
| |
| 9dd23746.0 |
| DC=es, DC=irisgrid, CN=IRISGridCA |
| 9dd23746.crl_url |
| http://www.irisgrid.es/pki/crl/cacrl.pem |
| 9dd23746.signing_policy |
| |
| NCSA: |
| ----- |
| |
| [ Verified 13May09 by mccreary, see NCSA_CACL_provenance for details ] |
| 9b95bbf2.0 |
| [ Updated 31Jan11 by jbasney with new Not After date: Apr 2027 ] |
| C=US, O=National Center for Supercomputing Applications, OU=Certificate Authorities, CN=CACL |
| http://ca.ncsa.uiuc.edu/9b95bbf2.r0 |
| 9b95bbf2.signing_policy |
| |
| [ Updated 31Jan11 by jbasney with new Not After date: Apr 2027 ] |
| [ Verified 07Oct09 by mccreary, see NCSA_MyProxy_provenance for details ] |
| f2e89fe3.0 |
| C=US, O=National Center for Supercomputing Applications, OU=Certificate Authorities, CN=MyProxy |
| http://ca.ncsa.uiuc.edu/f2e89fe3.r0 |
| f2e89fe3.signing_policy |
| |
| [ Added 13May09 by mccreary, see NCSA_GridShib_provenance for details ] |
| e8ac4b61.0 |
| /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=GridShib CA |
| e8ac4b61.crl_url |
| http://ca.ncsa.uiuc.edu/e8ac4b61.r0 |
| e8ac4b61.signing_policy |
| |
| PITTSBURGH SUPERCOMPUTING CENTER: |
| --------------------------------- |
| |
| [ Verified 23Apr10 by mccreary, see PSC_provenance for details ] |
| 9b88e95b.0 |
| subject= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Root CA |
| 9b88e95b.crl_url |
| http://www.psc.edu/ca/crl/9b88e95b.crl |
| 9b88e95b.psc-root.cadesc |
| 9b88e95b.signing_policy |
| |
| [ Verified 23Apr10 by mccreary, see PSC_provenance for details ] |
| acc06fda.0 |
| subject= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Hosts CA |
| acc06fda.crl_url |
| http://www.psc.edu/ca/crl/acc06fda.crl |
| acc06fda.psc-host.cadesc |
| acc06fda.signing_policy |
| |
| [ Added 23Apr10 by mccreary, see PSC_provenance for details ] |
| 4b2783ac.0 |
| subject= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC MyProxy CA |
| 4b2783ac.crl_url |
| http://www.psc.edu/ca/crl/4b2783ac.crl |
| 4b2783ac.psc-myproxy.cadesc |
| 4b2783ac.signing_policy |
| 4b2783ac.info |
| 4b2783ac.namespaces |
| |
| Purdue University: |
| ------------------ |
| |
| 67e8acfa.0 |
| /CN=Purdue TeraGrid RA/OU=Purdue TeraGrid/O=Purdue University/ST=Indiana/C=US |
| 67e8acfa.crl_url |
| http://tg-ca.purdue.teragrid.org:8080/67e8acfa.r0 |
| 67e8acfa.signing_policy |
| |
| 95009ddc.0 |
| /CN=PurdueCA/O=Purdue University/ST=Indiana/C=US |
| 95009ddc.crl_url |
| http://tg-ca.purdue.teragrid.org:8080/95009ddc.r0 |
| 95009ddc.signing_policy |
| |
| |
| SDSC: |
| ----- |
| |
| 3deda549.0 |
| /C=US/O=SDSC/OU=SDSC-CA/CN=Certificate Authority/UID=certman |
| 3deda549.crl_url |
| http://www.sdsc.edu/CA/3deda549.r0 |
| 3deda549.signing_policy |
| |
| b89793e4.0 |
| /C=US/O=NPACI/OU=SDSC/CN=Certificate Manager/UID=certman |
| b89793e4.crl_url |
| http://www.npaci.edu/CA/b89793e4.r0 |
| b89793e4.signing_policy |
| |
| |
| TACC: |
| ----- |
| |
| [ New TACC CA currently under review - added now to permit testing ] |
| |
| 9a1da9f9.0 |
| /C=US/O=UTAustin/OU=TACC/CN=TACC Certification Authority/UID=caman |
| 9a1da9f9.crl_url |
| http://www.tacc.utexas.edu/CA/CRL |
| 9a1da9f9.signing_policy |
| |
| [ New TACC root and classic CA added, Dec 2008 (mccreary) ] |
| 684261aa.0 |
| /DC=EDU/DC=UTEXAS/DC=TACC/O=UT-AUSTIN/CN=TACC Root CA |
| 684261aa.crl_url |
| http://www.tacc.utexas.edu/CA/684261aa.r0 |
| 684261aa.signing_policy |
| 684261aa.tacc.cadesc |
| 684261aa.tacc.cadesc.sig |
| |
| e5cc84c2.0 |
| /DC=EDU/DC=UTEXAS/DC=TACC/O=UT-AUSTIN/CN=TACC Classic CA |
| e5cc84c2.crl_url |
| http://www.tacc.utexas.edu/CA/e5cc84c2.r0 |
| e5cc84c2.signing_policy |
| e5cc84c2.tacc.cadesc |
| e5cc84c2.tacc.cadesc.sig |
| |
| See TACC_provenance for signed statement of certificate origin |
| |
| [ Added 13May09 by mccreary, see TACC_MICS_provenance for details ] |
| 2ac09305.0 |
| /DC=EDU/DC=UTEXAS/DC=TACC/O=UT-AUSTIN/CN=TACC MICS CA |
| 2ac09305.crl_url |
| http://www.tacc.utexas.edu/CA/2ac09305.r0 |
| 2ac09305.signing_policy |
| |
| UK E-Science CA: |
| ---------------- |
| |
| [ Jan 28, 2013: Removed (again?) EScience CA cert and files 53729190.* 367b75c3.*] |
| |
| [ Nov 1, 2012: Removed expired EScience CA cert and files 367b75c3.* ] |
| |
| [ Nov 1, 2012: swapped filenames and links for consistency with other CA cert file naming ] |
| |
| $ ls -l 877af676.* |
| lrwxr-xr-x 1 JimMarsteller staff 10 Nov 1 15:30 877af676.0 -> 1b6f5ede.0 |
| lrwxr-xr-x 1 JimMarsteller staff 16 Nov 1 15:31 877af676.crl_url -> 1b6f5ede.crl_url |
| lrwxr-xr-x 1 JimMarsteller staff 23 Nov 1 15:30 877af676.signing_policy -> 1b6f5ede.signing_policy |
| $ ls -l 1b6f5ede.* |
| -rw-r--r--@ 1 JimMarsteller staff 1367 Jul 11 09:55 1b6f5ede.0 |
| -rw-r--r--@ 1 JimMarsteller staff 43 Jul 11 10:33 1b6f5ede.crl_url |
| -rw-r--r--@ 1 JimMarsteller staff 237 Jul 11 09:55 1b6f5ede.signing_policy |
| $ ls -l 530f7122.* |
| lrwxr-xr-x 1 JimMarsteller staff 10 Nov 1 15:26 530f7122.0 -> ffc3d59b.0 |
| lrwxr-xr-x 1 JimMarsteller staff 16 Nov 1 15:28 530f7122.crl_url -> ffc3d59b.crl_url |
| lrwxr-xr-x 1 JimMarsteller staff 23 Nov 1 15:27 530f7122.signing_policy -> ffc3d59b.signing_policy |
| $ ls -l ffc3* |
| -rw-r--r--@ 1 JimMarsteller staff 1367 Jul 11 10:28 ffc3d59b.0 |
| -rw-r--r--@ 1 JimMarsteller staff 43 Jul 11 10:33 ffc3d59b.crl_url |
| -rw-r--r--@ 1 JimMarsteller staff 237 Jul 11 10:29 ffc3d59b.signing_policy |
| |
| [ addition of UK eScienceCA 2A and 2B, Jul 2012 (fest) ] |
| Files from igtf tarball v1.48 |
| |
| 877af676.0 |
| 877af676.signing_policy |
| 530f7122.0 |
| 530f7122.signing_policy |
| |
| wget https://dist.eugridpma.info/distribution/igtf/current/https://dist.eugridpma.info/distribution/igtf/current/igtf-policy-installation-bundle-1.48.tar.gz |
| |
| added hashes for v1 as well. |
| |
| [ removal of old UK eScience certificates and urls, Aug 2008 (shelmire) ] |
| |
| Files |
| adcbc9ef.0 |
| adcbc9ef.signing_policy |
| 8175c1cd.0 |
| 8175c1cd.signing_policy |
| |
| have been removed. The host that was holding these certificates may have been compromised. The UK E-Science CA is no longer honoring them. |
| |
| [ Replacement UK eScience certificates, May 2008 (mccreary) ] |
| |
| Retrieved from |
| <https://dist.eugridpma.info/distribution/igtf/current/accredited/tgz/> |
| ca_UKeScienceRoot-2007-1.21.tar.gz |
| ca_UKeScienceCA-2007-1.21.tar.gz |
| ca_UKeScienceRoot-1.21.tar.gz |
| ca_UKeScienceCA-1.21.tar.gz |
| |
| on 22May08. Web server presented certificate w/ subject: |
| |
| CN = dist.eugridpma.info |
| O = NIKHEF |
| OU = PDP |
| Serial Num = 01:00:00:00:00:01:10:E4:53:B7:A5 |
| |
| from authority: |
| |
| CN = Cybertrust Educational CA |
| O = Cybertrust |
| OU = Educational CA |
| |
| Valid from 21Feb07 until 21Feb2010 |
| |
| Fingerprints: |
| SHA1 7D:EF:99:28:66:AB:46:91:AE:0C:05:59:8A:F8:69:60:0F:E0:E0:24 |
| MD5 5D:AE:44:D1:14:F6:E8:8A:BB:EE:AD:3F:7A:1F:13:6D |
| |
| Updated: 367b75c3.0 |
| 367b75c3.signing_policy |
| 98ef0ee5.0 |
| 98ef0ee5.signing_policy |
| |
| *.crl_url files left unchanged, only difference is .pem extension |
| |
| 1c1 |
| < http://ca.grid-support.ac.uk/pub/crl/ca-crl.der |
| --- |
| > http://ca.grid-support.ac.uk/pub/crl/ca-crl.pem |
| |
| Also verifiedi: adcbc9ef.0 |
| adcbc9ef.signing_policy |
| 8175c1cd.0 |
| 8175c1cd.signing_policy |
| |
| Note that *crl_url for these certs also differs in the extension |
| |
| 1c1 |
| < http://ca.grid-support.ac.uk/pub/crl/escience-root-crl.crl |
| --- |
| > http://ca.grid-support.ac.uk/pub/crl/escience-root-crl.pem |
| |
| [ New UK eScience CAs November 2007 (cab) ] |
| |
| 367b75c3.0 |
| subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA |
| 367b75c3.crl_url= http://ca.grid-support.ac.uk/pub/crl/ca-crl.pem |
| 367b75c3.signing_policy |
| |
| 98ef0ee5.0 |
| subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root |
| 98ef0ee5.crl_url= http://ca.grid-support.ac.uk/pub/crl/root-crl.pem |
| 98ef0ee5.signing_policy |
| |
| [ New UK eScience CAs August 2006 ] |
| [ As of Nov. 27, 2007 No new certificates will be issued by this CA (cab) ] |
| [ Updated the CRL URL location to point to an unpublished PEM file (cab) ] |
| 8175c1cd.0 |
| subject= /C=UK/O=eScienceRoot/OU=Authority/L=Root/CN=CA |
| 8175c1cd.crl_url |
| http://ca.grid-support.ac.uk/pub/crl/escience-root-crl.pem |
| 8175c1cd.signing_policy |
| |
| adcbc9ef.0 |
| subject= /C=UK/O=eScienceCA/OU=Authority/CN=CA |
| adcbc9ef.crl_url |
| http://ca.grid-support.ac.uk/pub/crl/escience-ca-crl.pem |
| adcbc9ef.signing_policy |
| |
| [ UDATED Oct. 16 2007 - updated expired certificate URL (jam) ] |
| [ REMOVED Oct. 1 2007 - purged expired certificat (cab) ] |
| [ EXPIRING Aug 4 10:36:41 2007 GMT - no new certificates to be issued after Aug 2006 ] |
| [ previously approved for limited use until 12/31/2003; re-added for Reality-Grid |
| users under Bruce Boghosian (Tufts) TeraGrid project 08/18/2004 - dsimmel ] |
| 01621954.0 |
| /C=UK/O=eScience/OU=Authority/CN=CA/emailAddress=ca-operator@grid-support.ac.uk |
| 01621954.crl_url |
| http://ca.grid-support.ac.uk/cgi-bin/importCRL.pem |
| 01621954.signing_policy |
| |
| |
| University of Southern California (USC) CA & KCA: |
| ------------------------------------------------- |
| |
| [ added March 2005 to facilitate SCEC project users ] |
| [ removed January 2011 due to CA certificate expiration (jbasney) ] |
| |
| 2ca73e82.0 |
| /C=US/ST=California/L=Los Angeles/O=University of Southern California/CN=University of Southern California PKI-Lite CA, release 1/emailAddress=nmiadmin@usc.edu |
| 2ca73e82.crl_url |
| http://www.usc.edu/isd/services/authx/CA/2ca73e82.r0 |
| 2ca73e82.signing_policy |
| |
| [ USC Kerberos Certification Authority only issues short term certs for proxy use |
| and has no Certificate Revocation List ] |
| |
| [ USC KCA v2 service certificate fa9c3452.0 expired March 2, 2006 - the new v3 appears below ] |
| [ USC KCA v3 service certificate b57985f0.0 expired again on March 2, 2006, removed from the tarball, WJL] |
| b57985f0.0 |
| /C=US/ST=California/L=Los Angeles/O=University of Southern California/OU=Information Services Division/CN=University of Southern California KCA v3/emailAddress=nmiadmin@usc.edu |
| b57985f0.signing_policy |
| |
| |
| INFN (Italy) CA: |
| --------------- |
| |
| [ added March 2006 in preparation for user demo at GGF17 Tokyo May 2006 ] |
| [ removed as it expired Sept. 18, 2007 ] |
| 49f18420.0 |
| /C=IT/O=INFN/CN=INFN Certification Authority |
| 49f18420.crl_url |
| http://security.fi.infn.it/CA/crl.pem |
| 49f18420.signing_policy |
| |
| [ added on Oct. 1, 2007 to reflect the issuing of a new CA (cab) ] |
| [ Renamed the CRL URL to reflect an upublished PEM encoded file (cab) ] |
| [ Updated signing policy, May 1, 2009 (mccreary) ] |
| 2f3fadf6.0 |
| /C=IT/O=INFN/CN=INFN CA |
| http://security.fi.infn.it/CA/INFNCA_crl.pem |
| 2f3fadf6.signing_policy |
| |
| |
| Dutch Grid and NIKHEF CA: |
| ------------------------ |
| |
| [ added March 2006 in preparation for user demo at GGF17 Tokyo May 2006 ] |
| |
| 16da7552.0 |
| /C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth |
| 16da7552.crl_url |
| http://ca.dutchgrid.nl/medium/cacrl.pem |
| 16da7552.signing_policy |
| |
| |
| AIST (Japan) CA: |
| --------------- |
| |
| [ added March 2006 for GridRPC Materials Science production runs ] |
| |
| a317c467.0 |
| /C=JP/O=AIST/OU=GRID/CN=Certificate Authority |
| a317c467.crl_url |
| https://www.apgrid.org/CA/AIST/Production/a317c467.r0 |
| a317c467.signing_policy |
| |
| |
| NERSC SLCS CA: |
| |
| [ Added Apr 27 2011 per TeraGrid Ticket 198964 ] |
| |
| $ wget https://dist.eugridpma.info/distribution/igtf/current/igtf-policy-installation-bundle-1.38.tar.gz |
| --2011-04-27 10:37:26-- https://dist.eugridpma.info/distribution/igtf/current/igtf-policy-installation-bundle-1.38.tar.gz |
| Resolving dist.eugridpma.info... 194.171.96.74 |
| Connecting to dist.eugridpma.info|194.171.96.74|:443... connected. |
| HTTP request sent, awaiting response... 200 OK |
| Length: 150942 (147K) [application/x-gzip] |
| Saving to: `igtf-policy-installation-bundle-1.38.tar.gz' |
| 100%[======================================>] 150,942 223K/s in 0.7s |
| 2011-04-27 10:37:28 (223 KB/s) - `igtf-policy-installation-bundle-1.38.tar.gz' saved [150942/150942] |
| $ wget https://dist.eugridpma.info/distribution/igtf/current/igtf-policy-installation-bundle-1.38.tar.gz.asc |
| --2011-04-27 10:37:48-- https://dist.eugridpma.info/distribution/igtf/current/igtf-policy-installation-bundle-1.38.tar.gz.asc |
| Resolving dist.eugridpma.info... 194.171.96.74 |
| Connecting to dist.eugridpma.info|194.171.96.74|:443... connected. |
| HTTP request sent, awaiting response... 200 OK |
| Length: 189 [text/plain] |
| Saving to: `igtf-policy-installation-bundle-1.38.tar.gz.asc' |
| 100%[======================================>] 189 --.-K/s in 0s |
| 2011-04-27 10:37:49 (1.80 MB/s) - `igtf-policy-installation-bundle-1.38.tar.gz.asc' saved [189/189] |
| $ gpg --verify igtf-policy-installation-bundle-1.38.tar.gz.asc |
| gpg: Signature made Fri Feb 4 05:14:38 2011 CST using DSA key ID 3CDBBC71 |
| gpg: Good signature from "EUGridPMA Distribution Signing Key 3 <info@eugridpma.org>" |
| $ tar xfz igtf-policy-installation-bundle-1.38.tar.gz |
| $ cd igtf-policy-installation-bundle-1.38/src/accredited/ |
| $ cp NERSC-SLCS.* ~/cvs/repo.teragrid.org/security/certificates |
| $ cd ~/cvs/repo.teragrid.org/security/certificates/ |
| $ mv NERSC-SLCS.pem b93d6240.0 |
| $ mv NERSC-SLCS.info b93d6240.info |
| $ mv NERSC-SLCS.crl_url b93d6240.crl_url |
| $ mv NERSC-SLCS.signing_policy b93d6240.signing_policy |
| $ rm NERSC-SLCS.namespaces |
| $ ln -s b93d6240.0 20b7db76.0 |
| $ ln -s b93d6240.signing_policy 20b7db76.signing_policy |