nsc-jens
commented
3 years ago For reference: As a fix for the Sectigo IGTF signing fiasco, I have packaged two additional CA certificates for Swestore in the IGTF format. This was a bit hard and the files does not contain all the correct information. Most of the trouble being getting the namespace and signing policy files correct(ish). Just dropping additional CA certificates in a directory would help a lot and make it possible to support communities that are not in the WLCG+IGTF sphere (think Letsencrypt here).
vokac
paulmillar
There are only a few situations where dCache acts as a client and establishes a connection to a remote site. Perhaps most prominently, this happens when transferring data with HTTP-TPC and dCache is the "active party".
Currently (by default), dCache uses the standard set of trust anchors from IGTF, located in the
/etc/grid-security/certificatesdirectory.However, remote sites may have multiple user communities, including those who do not trust IGTF CAs. There is an alternative set of trust anchors (set of CAs) called CAB. The CAB set of trust anchors is accepted by all major web browsers, and is widely adopted by other HTTP clients.
May distributions provide the CAB set of CAs in a standard location; typically as a single file containing all CA certificates in PEM format; for example, see
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.It is desirable that dCache somehow (through configuration or a script) is told to accept CAB services in addition to IGTF CAs when validating certificates of a remote site.