Apr 26 2006
Installing the GeoTrust CA in Apache/PHP/cURL
SEASnet Computing Facility would like to share how it got the new ISIS SSL certificate authority, Geo Trust, in a UNIX Apache/PHP/cURL environment. The following article is based off an e-mail to the ISIS developer’s list.
If your web application is getting an error with ISIS login, try the following:
1. Your PHP was probably compiled with cURL, e.g. --with-curl=/usr/local/curl-7.12.0. Their cURL was installed at /usr/local/curl-7.12.0, but yours could be any arbitrary path. Find out where it is installed on your machine.
2. Your cURL came with a default CA bundle file, which contains root certificates for all the well known certificate authorities at the time it was made. Their file is at /usr/local/curl 7.12.0/share/curl/curl-ca-bundle.crt, which is the default location for the default compilation of cURL. If you compiled cURL with a custom location for this file, find out what it is and that’s the one you will work with.
3. Look for the new ISIS certificate authority from Geo Trust in /usr/local/curl-7.12.0/share/curl/curl-ca-bundle.crt. Basically the following 3 lines should be in curl-ca-bundle.crt:
Equifax Secure Global eBusiness CA-1 Validity Period: Mon Jun 21, 1999 to Sun Jun 21, 2020 (GMT) Certificate Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
If any of these lines are not in curl-ca-bundle.crt, you need to update your curl-ca-bundle.crt.
4a. If you don’t have any local certificates in curl-ca-bundle.crt, you can replace the entire curl-ca-bundle.crt. Save the old curl-ca-bundle.crt and get cacert.pem here. Replace curl-ca-bundle.crt with cacert.pem.
4b. If you have installed some custom local certificates in curl-ca-bundle.crt and don’t want to replace it, get cacert.pem and extract the “Equifax Secure Global eBusiness CA” certificate from cacert.pem by copying the lines between and including:
Equifax Secure Global eBusiness CA ==================================
and
-----END CERTIFICATE-----
Make a copy of the current curl-ca-bundle.crt and then append this piece of new certificate data to curl-ca-bundle.crt.
5. Restart your Apache server (because Apache’s PHP module reads in curl-ca-bundle.crt during startup only).
6. Test login to ISIS.