| Version 16 (modified by , 6 years ago) (diff) |
|---|
Trust anchors for GENI aggregates
This page lists various trust anchors which GENI aggregates can use. There's a section for the authorities that the GPO recommends for all GENI aggregates, and a second section for authorities which some aggregates may want to trust in unusual circumstances.
A note on certificate types:
- A self-signed SA certificate can be added to an aggregate's list of trusted certificates by itself --- it contains everything the aggregate needs in order to trust that slice authority
- Trusting the self-signed CA certificate for the GENI clearinghouse should be all that is needed to complete the chain to the clearinghouse's trust root.
- An SA certificate which was signed by a self-signed CA certificate requires the inclusion of both the SA and the CA certificates.
Recommended GENI slice authorities
As of May 2015, the GPO recommends that all GENI aggregates trust the following GENI slice authorities (aka "the GENI cert bundle"), allowing the users at those SAs to use resources at GENI racks, GENI backbone and regional networks, etc.
The table below includes links to the SA certificate file, or to both of the MA and CA certificates, for each trust anchor. You can also download the entire bundle as a compressed tar file, which unpacks into a directory named "geni-cert-bundle", and includes an MD5SUMS file with md5sums for the certs. The md5sum for the .tar.gz file itself is 404fc0e0da0d04308b7d1d8d89bd910d.
| Description | Hostname | Certificate type | Certificate Expiration | File/Checksum |
| GENI clearinghouse | ch.geni.net | CA (self-signed) | 2019-03-23 | 40c979b9477822f353027ab91dc7a296 |
| PlanetLab Central | planet-lab.org | SA (self-signed) | 2016-09-04 | 4f0182127f4d4dc3c553d9d4a9a1a825 |
| Utah ProtoGENI | emulab.net | CA (self-signed) | 2020-10-27 | ffee3bd7ff3b7cd16ef1c10087adeee5 |
| Utah ProtoGENI SA | N/A | SA (signed by Utah CA) | 2020-10-28 | ec934876592590fa9dae926cf72d6e9a |
Refer to aggregate-specific instructions for how to configure your aggregate to trust a particular certificate.
Older certs (to be removed after 2015-05-25):
| Description | Hostname | Certificate type | Certificate Expiration | File/Checksum |
| Utah ProtoGENI | emulab.net | SA (self-signed) | 2015-05-25 | e9e6389938d71fed6ab8d667ac91f60a |
Other GENI slice authorities
Most aggregates will not want to trust the following additional slice authorities, but there may be some unusual circumstances where some might. The GPO does not recommend that GENI aggregates trust these authorities except when there's a specific concrete reason for a particular aggregate to do so.
The table below includes links to the SA certificate file, or to both of the MA and CA certificates, for each trust anchor.
| Description | Hostname | Certificate type | Certificate Expiration | File/Checksum |
| GPO staging clearinghouse | ch1.gpolab.bbn.com | CA (self-signed) | 2018-06-11 | 8a5e7c9194522ec79c6db2efeaa44569 |
Refer to aggregate-specific instructions for how to configure your aggregate to trust a particular certificate.
Attachments (10)
-
genisa.pem (3.5 KB) - added by 6 years ago.
Emulab SA cert (expires 2020-10-28)
-
sa-cert.pem (1.6 KB) - added by 6 years ago.
GENI Slice Authority
-
ma-cert.pem (1.6 KB) - added by 6 years ago.
GENI Member Authority
-
cacert.pem (1.2 KB) - added by 6 years ago.
GENI Clearinghouse Cerificate
-
cacert-noekus.pem (1.2 KB) - added by 5 years ago.
GENI CA Certificate with No EKU set: Use this if server is using OpenSSL1.1.x
- ilabt.imec.be.pem (2.0 KB) - added by 4 years ago.
-
geni-cert-bundle.tar.gz (7.5 KB) - added by 4 years ago.
GENI cert bundle
-
emulab.pem (1.6 KB) - added by 4 years ago.
Emulab CA cert (expires 2020-10-27)
- emulab_sa.pem (1.3 KB) - added by 4 years ago.
- geni-cert-bundle.tgz (5.7 KB) - added by 3 years ago.
Download all attachments as: .zip
