To bootstrap your trusted metadata process, you MUST check the integrity of the metadata signing certificate configured into that process. It is not sufficient to fetch the certificate via a TLS-protected HTTPS connection, which is why the sample procedure shown below does not rely on TLS.
The metadata signing certificate used to verify the XML signature on one of the new Metadata Aggregates is stored at the following HTTP location:
You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use
openssl to check the integrity of the metadata signing certificate as follows:
# get the metadata signing certificate on md.incommon.org $ MD_CERT_LOCATION=httphttps://mdds.incommon.org/certs/inc-md-cert.pem $ MD_CERT_PATH=/path/to/inc-md-cert.pem $ /usr/bin/curl --silent --dump-header /dev/tty $MD_CERT_LOCATION > $MD_CERT_PATH HTTP/1.1 200 OK Date: Thu, 19 Dec 2013 14:01:00 GMT Server: Apache Last-Modified: Wed, 18 Dec 2013 21:08:31 GMT ETag: "150037-4fd-4edd5727611c0" Accept-Ranges: bytes Content-Length: 1277 Connection: close Content-Type: text/plain; charset=UTF-8 # compute the SHA-1 and SHA-256 fingerprints of the metadata signing certificate $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha1 -noout -fingerprint SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha256 -noout -fingerprint SHA256 Fingerprint=2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B