PSC Public Key Infrastructure Certificate Authorities
PSC operates the Certificate Authorities (CAs) listed below in support of XSEDE and PSC constituent systems, services, and users.
February 28, 2014
Important Host Certificates Update Information
PSC's current host certs will be replaced shortly as they expire on March 5, 2014. This annual procedure is normally a transparent transition, but as required by IGTF, we will begin signing our new host certificates using sha256.
Testing with GSI-OpenSSH and Globus GridFTP has shown no problems so far with sha256-signed certificates, as long as the OpenSSL version used with these services is at least OpenSSL 0.9.8o [01 Jun 2010] - newer releases after OpenSSL 0.9.8o, including OpenSSL 1.x.x are OK too.
Old Globus 4.x-based web services, however, including the TeraGrid/XSEDE MDS information service, balk on sha2* signatures due to reliance on an old library, so we will issue a new (host) container certificate for PSC's TeraGrid/XSEDE MDS service signed using SHA1. All other PSC Host CA-issued certificates will be signed using SHA256.
Per IGTF guidelines (see http://www.eugridpma.org/documentation/hashrat/sha2-timeline), all existing SHA1-signed certificates must expire or be revoked no later than February 1, 2015.
Certificate revocation lists (CRLs) for PSC CAs will remain signed using SHA1 until September 30, 2014 or until our last outstanding SHA1-signed certificate has expired or is revoked, whichever occurs first. CRLs for PSC CAs will be signed using SHA256 thereafter.
Notice will be sent and posted at http://www.psc.edu/ca/ if changes to this schedule are made.
- For Urgent Security Issues, you can contact either PSC or XSEDE for help.
- For general inquiries regarding PSC CA operations and certificates
- For all other PSC inquiries
XSEDE serves as the Registration Authority for the PSC MyProxy CA. To obtain user certificates from the PSC MyProxy CA, you must use MyProxy client software together with your XSEDE username and password. For more information, please see the Getting Started Guide on the XSEDE website.
PSC Certificate Authorities
|PSC Root CA files:|
|PSC Root Certificate Authority (CA) certificate||9b88e95b.0|
|PSC Root CA signing policy||9b88e95b.signing_policy|
|PSC Root CA certificate revocation list (CRL) URL||9b88e95b.crl_url|
|PSC Root CA CRL (DER)||9b88e95b.crl|
|PSC Root CA CRL (PEM)||9b88e95b.r0|
|PSC Root CA gx-map CA description||9b88e95b.psc-root.cadesc|
|PSC Hosts CA files:|
|PSC Hosts CA||acc06fda.0|
|PSC Hosts CA signing policy||acc06fda.signing_policy|
|PSC Hosts CA CRL URL||acc06fda.crl_url|
|PSC Hosts CA CRL (DER)||acc06fda.crl|
|PSC Hosts CA CRL (PEM)||acc06fda.r0|
|PSC Hosts CA gx-map CA description||acc06fda.psc-host.cadesc|
|PSC MyProxy CA files:|
|PSC MyProxy CA||4b2783ac.0|
|PSC MyProxy CA signing policy||4b2783ac.signing_policy|
|PSC MyProxy CA CRL URL||4b2783ac.crl_url|
|PSC MyProxy CA CRL (DER)||4b2783ac.crl|
|PSC MyProxy CA CRL (PEM)||4b2783ac.r0|
|PSC MyProxy CA Certificate Policy / Certification Practice Statement (CP/CPS)||4b2783ac.cps.pdf|
|PSC MyProxy CA example user certificate||4b2783ac.example_cert.txt|
|PSC MyProxy CA gx-map CA description||4b2783ac.psc-myproxy.cadesc|
|PSC MyProxy CA IGTF Information||4b2783ac.info|
|PSC MyProxy CA IGTF Namespaces||4b2783ac.namespaces|
|All PSC CA certificates, signing policies and CRL URLs _above_ (tar)||PSC-CA.tar|
|All PSC CA certificates, signing policies and CRL URLs _above_ (zip)||PSC-CA.zip|
|PSC Web Services CA files:|
|PSC Web Services CA||45086046.0|
|PSC Web Services CA signing policy||45086046.signing_policy|
|PSC Web Services CA CRL URL||45086046.crl_url|
|PSC Web Services CA CRL (DER)||45086046.crl|
|PSC Web Services CA CRL (PEM)||45086046.r0|
|PSC Web Services CA gx-map CA description||45086046.psc-websvc.cadesc|
|Carnegie Mellon University CA|
|Carnegie Mellon University CA||http://www.cmu.edu/computing/doc/web/ca|