Jefferson Lab Root Certificate Authority -- Client Instructions

JLab maintains its own Certificate Authority to create and sign SSL certificates used to secure connections to numerous web and other network services. You must install JLab's signing certificate into your web browsers, email, and other clients that use SSL for secure connections. Without installing this certificate, some clients may generate warnings, and some may simply not connect.

Note: Some programs give you the option of adding an exception, or otherwise ignoring whatever warning condition is detected. Such exceptions should never be made unless you are very certain of what you are doing and know for sure that the exception is safe.

JLab Root Signing Certificate

The certificate file that must be installed is available via the link below. It's identifying "fingerprint" (also, occasionally called the "thumbprint") is also provided. When installing any certificate, its fingerprint should be confirmed using a trusted source to insure the certificate is not forged.

Certificate File: JLabWinCA.crt
Fingerprint: e4 9e bf 21 a0 a2 59 2c 8b 2a 21 44 1e 4e 53 f3 f0 d8 fb e7

  Depending on the program, the fingerprint is sometimes shown with colons between
  each pair of digits. This does not constitute a mismatch, it is simply 
  an attempt to make it easier to read.

Note: For convenience, this certificate file is also available at /site/etc/openssl/JLabWinCA.crt (on Windows systems, this is K:\etc\openssl\JLabWinCA.crt)

Instructions

All users should follow the instructions for Firefox and Thunderbird. Instructions for other client programs are provided for users who use them.

Step 1 -- Download and save the certificate for installation into other programs

To save on your desktop, right-click the link above and select "Save Link As"
Navigate to a convenient location and save the file

Step 2 -- Install the certificate in Firefox

Click (not right-click) the link above. You will get the Certificate Download dialog box.
Check all three check boxes, indicating that this certificate should be trusted to:
- identify Web Sites
- identify email users
- identify software developers
Click the "view" button to examine the certificate to compare the SHA1 fingerprint against that provided above.
Click "OK" to complete the installation.

Step 3 -- Install the saved certificate file into Thunderbird

From within Thunderbird, go to Tools -> Options.
Click on the "Advanced" tab near the top of the dialog box.
Click on the "Certificates" sub-tab.
Click the "View Certificates" button
Select the "Authorities" tab.
Click the "Import" button to import the file you saved previously.
Navigate to the file you saved previously and click OK to open it.
You will get a new dialog box with check boxes allowing you to indicate which purposes this certificate should be trusted for. Check all three boxes.
Click the view button and compare the "SHA1 Fingerprint" to the value shown above. If they do not match, cancel the import operation and contact the helpdesk
Once you have confirmed the fingerprint value, click close, then OK on the previous dialog to complete the import operation. Then, click OK on the Certificate Manager dialog and, finally click OK on the options dialog box to return to Thunderbird.

Upon completion of the steps above, Thunderbird should now happily connect to JLab SSL-enabld mail servers without generating warnings. If you get any warnings or errors from here on, they should be reported and the cause found and fixed.

Optional Additional Instructions for Other SSL Client Programs

Internet Explorer (IE)

With IE, when you click on the URL link above, you will get a dialog asking to open or save the file.

Click on the link above and when asked, select "open"
You willget a window providing information about the new certificate.
Select the "details" tab at the top to compare the SHA1 thumbprint to the one provided above.
After confirming the fingerprint, click the "General" tab
Click "Install Certificate" near the bottom.
A wizard will start to install the certificate.
You will be prompted for which "Certificate Store" should be used for the certificate. Select "Place all certificates in the following store"
Click "browse" and select the "Trusted root certification authorities"
Click next, then finish to complete the import

Chrome

Chrome uses the same set of Certificates as IE. So, if you've installed the certificate for Internet Explorer, it is not necessary to install it in Chrome. If you use Chrome but not IE, the process of installing it is similar --

Click on the link above
Chrome will start the download and let you know that this type of file can be harmful. asking you to confirm your desire to doanload and keep the file -- select "Keep"
At the bottom of the Chrome window, you will see the downloaded file, with a drop down arrow allowing you to choose to open the file -- select "Open"
You will get a window providing information about the new certificate.
Select the "details" tab at the top to compare the SHA1 thumbprint to the one provided above.
After confirming the fingerprint, click the "General" tab
Click "Install Certificate" near the bottom.
A wizard will start to install the certificate.
You will be prompted for which "Certificate Store" should be used for the certificate. Select "Place all certificates in the following store"
Click "browse" and select the "Trusted root certification authorities"
Click next, then finish to complete the import