Jefferson Lab Root Certificate Authority -- Client Instructions

JLab maintains its own Certificate Authority to create and sign TLS/SSL certificates used to secure connections to numerous web and other network services. You must install JLab's signing certificate into your web browsers, email, and other clients that use TLS/SSL for secure connections. Without installing this certificate, some clients may generate warnings, while others may simply not connect.

Note: Some programs give you the option of adding an exception, or otherwise ignoring whatever warning condition is detected. Such exceptions should never be made unless you are very certain of what you are doing and know for sure that the exception is safe.

JLab Root Signing Certificate

The certificate file that must be installed is available via the link below. It's identifying "fingerprint" (also, occasionally called the "thumbprint") is also provided. When installing any certificate, its fingerprint should be confirmed using a trusted source to insure the certificate is not forged.
  Depending on the program, the fingerprint is sometimes shown with colons between
  each pair of digits. This does not constitute a mismatch, it is simply 
  an attempt to make it easier to read.
Note: For convenience, this certificate file is also available at /site/etc/openssl/JLabWinCA.crt (on Windows systems, this is K:\etc\openssl\JLabWinCA.crt)


All users should follow the instructions for Firefox and Thunderbird. Instructions for other client programs are provided for users who use them.

Step 1 -- Download and save the certificate for installation into other programs

Step 2 -- Install the certificate in Firefox

Step 3 -- Install the saved certificate file into Thunderbird

Upon completion of the steps above, Thunderbird should now happily connect to JLab TLS/SSL-enabld mail servers without generating warnings. If you get any warnings or errors from here on, they should be reported and the cause found and fixed.

Optional Additional Instructions for Other TLS/SSL Client Programs

Internet Explorer (IE)

With IE, when you click on the URL link above, you will get a dialog asking to open or save the file.


Chrome uses the same set of Certificates as IE. So, if you've installed the certificate for Internet Explorer, it is not necessary to install it in Chrome. If you use Chrome but not IE, the process of installing it is similar --