Child pages
  • InstallGeoTrustCA
Skip to end of metadata
Go to start of metadata

Installing the GeoTrust CA in Apache, PHP, & cURL

SEASnet Computing Facility would like to share how it got the new ISIS SSL certificate authority, Geo Trust, in a UNIX Apache/PHP/cURL environment. The following article is based off an e-mail to the ISIS developer's list.

If your web application is getting an error with ISIS login, try the following:

1. Your PHP was probably compiled with cURL, e.g. @--with-curl=/usr/local/curl-7.12.0@. Their cURL was installed at @/usr/local/curl-7.12.0@, but yours could be any arbitrary path. Find out where it is installed on your machine.

2. Your cURL came with a default CA bundle file, which contains root certificates for all the well known certificate authorities at the time it was made. Their file is at @/usr/local/curl 7.12.0/share/curl/curl-ca-bundle.crt@, which is the default location for the default compilation of cURL. If you compiled cURL with a custom location for this file, find out what it is and that's the one you will work with.

3. Look for the new ISIS certificate authority from Geo Trust in @/usr/local/curl-7.12.0/share/curl/curl-ca-bundle.crt@. Basically the following 3 lines should be in curl-ca-bundle.crt:

 
Equifax Secure Global eBusiness CA-1
Validity Period: Mon Jun 21, 1999 to Sun Jun 21, 2020 (GMT)
Certificate Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC

If any of these lines are not in curl-ca-bundle.crt, you need to update your curl-ca-bundle.crt.

4a. If you don't have any local certificates in curl-ca-bundle.crt, you can replace the entire curl-ca-bundle.crt. Save the old curl-ca-bundle.crt and get cacert.pem here. Replace curl-ca-bundle.crt with cacert.pem.

4b. If you have installed some custom local certificates in curl-ca-bundle.crt and don't want to replace it, get cacert.pem and extract the "Equifax Secure Global eBusiness CA" certificate from cacert.pem by copying the lines between and including:

@Equifax Secure Global eBusiness CA@ <br />
@==================================@

and

@-----END CERTIFICATE-----@

Make a copy of the current curl-ca-bundle.crt and then append this piece of new certificate data to curl-ca-bundle.crt.

5. Restart your Apache server (because Apache's PHP module reads in curl-ca-bundle.crt during startup only).

6. Test login to ISIS.