...
Warning | ||
---|---|---|
| ||
To bootstrap your trusted metadata process, you MUST check the integrity of the metadata signing certificate configured into that process. It is not sufficient to fetch the certificate via a TLS-protected HTTPS connection, which is why the sample procedure shown below does not rely on TLS. |
The metadata signing certificate used to verify the XML signature on one of the new Metadata Aggregates is stored at the following HTTP location:
You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use curl
and openssl
to check the integrity of the metadata signing certificate as follows:
Code Block | ||
---|---|---|
| ||
# get the metadata signing certificate on md.incommon.org $ MD_CERT_LOCATION=httphttps://mdds.incommon.org/certs/inc-md-cert.pem $ MD_CERT_PATH=/path/to/inc-md-cert.pem $ /usr/bin/curl --silent --dump-header /dev/tty $MD_CERT_LOCATION > $MD_CERT_PATH HTTP/1.1 200 OK Date: Thu, 19 Dec 2013 14:01:00 GMT Server: Apache Last-Modified: Wed, 18 Dec 2013 21:08:31 GMT ETag: "150037-4fd-4edd5727611c0" Accept-Ranges: bytes Content-Length: 1277 Connection: close Content-Type: text/plain; charset=UTF-8 # compute the SHA-1 and SHA-256 fingerprints of the metadata signing certificate $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha1 -noout -fingerprint SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha256 -noout -fingerprint SHA256 Fingerprint=2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B |
...