Renewed certificate information for nds.berkeley.edu (to be deployed December 2nd, 2018)
The Comodo/InCommon certificate trust chain:
- USERTrust RSA Certification Authority (intermediate, see below for PEM-encoded version)
- InCommon RSA Server CA (intermediate, see below for PEM-encoded version)
- Comodo's AddTrust External CA Root certificate download page
Overview
We will renew the certificate signed by Comodo's InCommon RSA Server CA intermediate, which in turn is signed by the USERTrust RSA CA intermediate, which finally is signed by the AddTrust External root CA. This is required because the current certificate on the legacy LDAP cluster, nds.berkeley.edu, is expiring.
The deployment timeline
- December 2nd, 2018: Renewed Comodo certificates will be installed on the nds.berkeley.edu legacy LDAP cluster.
- January 31st, 2019: The nds.berkeley.edu LDAP cluster will be retired. All customers should use ldap.berkeley.edu.
For questions, please write to the calnet-developers@lists.b.e list or send directly to calnet-admin@lists.b.e
Workaround if needed for untrusted certificates
If your TLS/SSL libraries do not accept the nds.berkeley.edu certificates as trusted, here are some suggested workarounds if installing the Comodo AddTrust root CA alone, or the root CA together with the intermediate CAs, does not provide a proper chain of trust. Typically, using the RootCA or the RootCA plus intermediate CA certificate(s) would be sufficient, but in some cases these workarounds are required or desired:
- Not recommended: Disable certificate validation checking.
- Recommended, only if needed: Add the host certificate directly to your trust store rather than depending on the Root CA signature to chain the trust. See below for the included host certificate needed for this option. Using this option (2) means that any change of the LDAP server host certificate in the future will require establishing trust again via this procedure and using the new LDAP server host certificate when it becomes available.
Steps for option 1 (not recommended) for OpenLDAP clients like ldapsearch
Set TLS_REQCERT allow in /etc/openldap/ldap.conf, or, for temporary disablement, set an environment variable as in the following example for the bash shell:
Do this at some point before using the LDAP client.
Steps for option 2 (recommended, only if needed)
We have the nds.calnet.b.e, host certificate PEM-encoded below. Only if needed (see above), import this file into your application's or JVM's trusted Root CA storage.
renewed nds.b.e/nds.calnet.b.e, host X.509 cert, PEM-encoded
-----BEGIN CERTIFICATE----- MIIIxjCCB66gAwIBAgIRAP+zogwGYgX5YUmP3ZwNzFMwDQYJKoZIhvcNAQELBQAw djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTgxMTA4MDAwMDAwWhcNMjAxMTA3 MjM1OTU5WjCB3zELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTk0NzIwMQswCQYDVQQI EwJDQTERMA8GA1UEBxMIQmVya2VsZXkxIjAgBgNVBAkMGTIwMCBDYWxpZm9ybmlh IEhhbGwgIzE1MDAxSDBGBgNVBAoTP1VuaXZlcnNpdHkgb2YgQ2FsaWZvcm5pYSwg QmVya2VsZXkgKFJlZ2VudHMgb2YgdGhlIFVuaXYuIG9mIENBKTEWMBQGA1UECxMN SVNULUNhbE5ldElkTTEaMBgGA1UEAxMRbGRhcC5iZXJrZWxleS5lZHUwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq7kPfPCt1TUaMWBLvPZAD61t8XYSE HRx1l0fVxf06YUzGxDoFw3lcvoEbqqGInWxK8xESzI4WOsEqiI8xd7z6rACZ+dn5 aMx9e7NARpP8FrqNtLVIkBKE6hNZLyYDqVWQDuiSr1biocwKuR3NB/nIjrPFJ5Mm rqwnyK98asZ5nTTBXrjkH+xlVpDN8ApBQwK3QOUEZTmE/hUFyhUoT/lNIGBt2cvT 5uAy0qf6ejKTC9b6nbXKHIgrc43V6lBYY1SQrs8IwA4dgfrulBJiduXG/wfbYsIB +p9v8PHVjRQsQNwKsSfYHCjiYcqEyWsuQRJxosc4Qr6JNIaqGqmnpJYJAgMBAAGj ggTjMIIE3zAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4E FgQUdnVIg/c/MD9Ftd3TKBHA7cWvGgowDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4w UgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29t bW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQG A1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNv bW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKG Mmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIu Y3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMIIBuAYD VR0RBIIBrzCCAauCEWxkYXAuYmVya2VsZXkuZWR1giBsZGFwLW9mZnNpdGUuY2Fs bmV0LmJlcmtlbGV5LmVkdYIhbmRzLWF1dGguY2FsbmV0LjE5MTguYmVya2VsZXku ZWR1ghpuZHMtcDEuY2FsbmV0LmJlcmtlbGV5LmVkdYIgbmRzLXAxMC5jYWxuZXQu MTkxOC5iZXJrZWxleS5lZHWCGm5kcy1wMi5jYWxuZXQuYmVya2VsZXkuZWR1ghpu ZHMtcDMuY2FsbmV0LmJlcmtlbGV5LmVkdYIfbmRzLXA0LmNhbG5ldC4xOTE4LmJl cmtlbGV5LmVkdYIfbmRzLXA1LmNhbG5ldC4xOTE4LmJlcmtlbGV5LmVkdYIabmRz LXA2LmNhbG5ldC5iZXJrZWxleS5lZHWCGm5kcy1wNy5jYWxuZXQuYmVya2VsZXku ZWR1ghpuZHMtcDguY2FsbmV0LmJlcmtlbGV5LmVkdYIabmRzLXA5LmNhbG5ldC5i ZXJrZWxleS5lZHWCEG5kcy5iZXJrZWxleS5lZHWCF25kcy5jYWxuZXQuYmVya2Vs ZXkuZWR1MIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYAdQDuS723dc5guuFCaR+r 4Z5mow9+X7By2IMAxHuJeqj9ywAAAWb0OYsPAAAEAwBGMEQCIACcIj6/XDw5JlB4 Eq01V0RcPcJ9GgX7zWgjKdnYmVV6AiAk9Rm0YKayYfnKj6aOFOysNxw3Ad/w5Yd4 dOV+70bCQgB1AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABZvQ5 i5cAAAQDAEYwRAIgPirGOHCdL+5Wor22Ytb+qeztBiFcJ1FAGhbj2ZnTlgQCIAjN Fvmy8jNVoBmBu+hLeSPYGNk1x22VRllSYGYywWlyAHYA8JWkWfIA0YJAEC0vk4iO rUv+HUfjmeHQNKawqKqOsnMAAAFm9DmLWAAABAMARzBFAiEAijgaQ0xIaVBV5fcy VSspmJkxnK4gq5ytJISpzAddqD8CIFJlAyZwbcchhlWg39HwsUV73VCzoH6w0OCA oJDR+IyEMA0GCSqGSIb3DQEBCwUAA4IBAQCbXcEQs4l7eOhWCr+H14im990I9W0Q Y0eZwAYanPQ31gAfdLWFVhxmFQAIs3XnNIi59iGmLVUpwQSXk2LcigkHb4QfvkJm Uy58kNI8px5487lAO+qLpAoOt71TfTYeehPZwWIze/SFs01Oho0TD77S8/MKK6s6 xHMSpdirq2Ea3+AUmjKF0XQpXzsJBeyET3eOSL3qXIRqRJfqBD9EKAR4of+614oR dBr0RXQn5KHek3ZrSQh1giznEb2gyfdCv9gs0gX7d/ie98SzGgIEHmBKUQQBvfZ2 lJWjzhgaIFzuEoOc/5jFE8C6WMk8rFzmVc2Ju/HFbTRrWG6Od6t/dYvH -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- MIIHUjCCBjqgAwIBAgIRAMzjq00nDocBs2FtLDh7I04wDQYJKoZIhvcNAQELBQAw djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTUxMjA3MDAwMDAwWhcNMTgxMjA2 MjM1OTU5WjCB6zELMAkGA1UEBhMCVVMxEjAQBgNVBBETCTk0NzIwMTUwMDETMBEG A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIQmVya2VsZXkxIjAgBgNVBAkMGTIw MCBDYWxpZm9ybmlhIEhhbGwgIzE1MDAxSDBGBgNVBAoTP1VuaXZlcnNpdHkgb2Yg Q2FsaWZvcm5pYSwgQmVya2VsZXkgKFJlZ2VudHMgb2YgdGhlIFVuaXYuIG9mIENB KTEWMBQGA1UECxMNSVNULUNhbE5ldElkTTEaMBgGA1UEAxMRbGRhcC5iZXJrZWxl eS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq7kPfPCt1TUaM WBLvPZAD61t8XYSEHRx1l0fVxf06YUzGxDoFw3lcvoEbqqGInWxK8xESzI4WOsEq iI8xd7z6rACZ+dn5aMx9e7NARpP8FrqNtLVIkBKE6hNZLyYDqVWQDuiSr1biocwK uR3NB/nIjrPFJ5MmrqwnyK98asZ5nTTBXrjkH+xlVpDN8ApBQwK3QOUEZTmE/hUF yhUoT/lNIGBt2cvT5uAy0qf6ejKTC9b6nbXKHIgrc43V6lBYY1SQrs8IwA4dgfru lBJiduXG/wfbYsIB+p9v8PHVjRQsQNwKsSfYHCjiYcqEyWsuQRJxosc4Qr6JNIaq GqmnpJYJAgMBAAGjggNjMIIDXzAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxx AAznODAdBgNVHQ4EFgQUdnVIg/c/MD9Ftd3TKBHA7cWvGgowDgYDVR0PAQH/BAQD AgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MGcGA1UdIARgMF4wUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBz Oi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYw CAYGZ4EMAQICMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24t cnNhLm9yZy9JbkNvbW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcw PgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJT QVNlcnZlckNBXzIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1 c3QuY29tMIIBuAYDVR0RBIIBrzCCAauCEWxkYXAuYmVya2VsZXkuZWR1giBsZGFw LW9mZnNpdGUuY2FsbmV0LmJlcmtlbGV5LmVkdYIhbmRzLWF1dGguY2FsbmV0LjE5 MTguYmVya2VsZXkuZWR1ghpuZHMtcDEuY2FsbmV0LmJlcmtlbGV5LmVkdYIgbmRz LXAxMC5jYWxuZXQuMTkxOC5iZXJrZWxleS5lZHWCGm5kcy1wMi5jYWxuZXQuYmVy a2VsZXkuZWR1ghpuZHMtcDMuY2FsbmV0LmJlcmtlbGV5LmVkdYIfbmRzLXA0LmNh bG5ldC4xOTE4LmJlcmtlbGV5LmVkdYIfbmRzLXA1LmNhbG5ldC4xOTE4LmJlcmtl bGV5LmVkdYIabmRzLXA2LmNhbG5ldC5iZXJrZWxleS5lZHWCGm5kcy1wNy5jYWxu ZXQuYmVya2VsZXkuZWR1ghpuZHMtcDguY2FsbmV0LmJlcmtlbGV5LmVkdYIabmRz LXA5LmNhbG5ldC5iZXJrZWxleS5lZHWCEG5kcy5iZXJrZWxleS5lZHWCF25kcy5j YWxuZXQuYmVya2VsZXkuZWR1MA0GCSqGSIb3DQEBCwUAA4IBAQA5yVftduiAaBJO OhpvofFT8nEWYvrs9c32NMta7PZ8T9ppzUkZz9H5gOELVc5FO8isVujJI+PXjveQ wyAZV87n1FD1ZdOGvUxWtM4vFna+MSdP2GM6hxBW4na5ti10VNQygq7dihso77ZY Ttx8bajil0Y2FwJYuZdXuxTC4i1UiD1s51omBRuaM8Ug7HAdQofsP3Rc2kVqHbA0 2QapRxzha7yyBD2JmtQGcK/Py2cv/801Sk2MqlgXgAmO8Hi3Z3pcQravsXPtKk0X 5fXsEkFCeUwrjpdZJH17Ei1NGFkvviHtVU9tpYhDaffvQw8Qi6FKXiDWgwsHO3kA 9qWWWzuG -----END CERTIFICATE-----
USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE----- MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM 8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9 N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9 HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ +gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/ BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4 dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0 dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8 Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p 0fKtirOMxyHNwu8= -----END CERTIFICATE-----
InCommon RSA Server CA
-----BEGIN CERTIFICATE----- MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU 11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0 +Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR 5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72 hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk -----END CERTIFICATE-----