On Wed, 24 Sep 2014, Andrew P. wrote:

> I was working on implementing SSL support in my APRS application, and noticed that the APRS-IS servers identify themselves with certificates issued by someone other than any of the big Certificate Authorities. Where does one get the trusted root CA certificate for these servers? Is it available on a webpage somewhere (maybe where the server code is available)?

You should be able to click on the padlock when on one of these servers, look at the certificate, hit the "Details" tab and look some more. Somewhere in there should be a link to the root certificate. You should be able to click on that and get asked if you want to import and trust that certificate.

So, using Firefox right now hooked to one of our internal servers at work that uses a different trusted root:

Left-click on the padlock.
Click "More Information"
Click "View Certificate" button.
Click "Details" tab.

Under Certificate->Extensions->Authority Information Access is a line that says: "CA Issuers". It has a URL that ends in ".crt". I put that into my browser and it asks me if I want to import that certificate (Don't know the exact message right now 'cuz I already did that, just yesterday! So mine today says: "This certificate is already installed as a certificate authority."

--
Curt, WE7U. http://wetnet.net/~we7u
APRS Client Capabilities: http://wetnet.net/~we7u/aprs_capabilities.html

Andrew,

The Tier 2 servers that have been configured for experimental SSL
identify with certificates signed by a custom Tier 2 Certificate
Authority. For client verification, they check that certificates are
signed by ARRL LotW.

Here is the Tier 2 CA root certificate, also available by exporting
from your browser as Curt described:
-----BEGIN CERTIFICATE-----
MIIEATCCAumgAwIBAgIJANGeoRXHmR8XMA0GCSqGSIb3DQEBBQUAMHIxGzAZBgNV
BAoMEkFQUlMgVGllcjIgTmV0d29yazEWMBQGA1UECwwNQ0EgRGVwYXJ0bWVudDEe
MBwGA1UEAwwVQVBSUzIgc2VydmVycyByb290IENBMRswGQYJKoZIhvcNAQkBFgxj
YUBhcHJzMi5uZXQwHhcNMTMwMzA4MDcyODE0WhcNMjMwMzA2MDcyODE0WjByMRsw
GQYDVQQKDBJBUFJTIFRpZXIyIE5ldHdvcmsxFjAUBgNVBAsMDUNBIERlcGFydG1l
bnQxHjAcBgNVBAMMFUFQUlMyIHNlcnZlcnMgcm9vdCBDQTEbMBkGCSqGSIb3DQEJ
ARYMY2FAYXByczIubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
u1relthMJip2AumhLeuv/+uczpnaaMPyfeAVxHcN2agx4o/0LXpKODJtQ7VjgI1I
tROoEUm5mwqIZZ70zMUFKJySY7zFUOV+3uMDl0wWfqKP+DuuVhFy/eA7ftyzV/kQ
ifed16ZlvteVy2PUY1oTtzu4KOBLe1wzF2ffuJg2ZtE1OCDFLIZkVMnm4YsqmeuP
kD907UgaYzZQmnqAqqBBofwlRlfgV40bQpAptEsYoLstiKtuyMI1ssoX5Qz50awb
tsij8HIyMzfT5Yic/UXfuLaz43fEBjxhOw9T/9/GVEMqSkUogrsp9y97t2WfzbUz
wBBuXZKm0MRoY82xZJ6nBwIDAQABo4GZMIGWMB0GA1UdDgQWBBQFKvFGPE2OVgic
9NiNIQv8/mm1WDAfBgNVHSMEGDAWgBQFKvFGPE2OVgic9NiNIQv8/mm1WDAMBgNV
HRMEBTADAQH/MAsGA1UdDwQEAwIBBjA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8v
Y3JsLmFwcnMyLm5ldC90Mi1zZXJ2ZXItcm9vdDAuY3JsMA0GCSqGSIb3DQEBBQUA
A4IBAQB1NjmdmkgeiYRU84q1TeLrt45P5TyJGuzSYvPFNryf9HPY8OSfbLAy44PL
AFmI8e1mpgU9EYkyxt/cKdsmM8P0S0gAQ+PV9E8n/9MHtSxiR9x6IsRAyesh4fPX
IW8pNNcRN0FfPx54kpIDAabvPl0i1c5XTjT7RycYWa3Vk9yNOHbwtFZlBgaG0/YU
PYLE1v9g2rPMrEaRoMZtT4d5pn6t0LIFaA3X+iUBBl3ijRx7OiH7VaJBSjWO6aLz
gCwvpfG0Qc2e52/Aj/Ynybn8f9GOymqCS/UzNMDDnalDsgBemR86zP1qoGi5p6CI
QLYDShM2/r/hdO0pW7qArXamn3AI
-----END CERTIFICATE-----

And here is the ARRL CA root certificate:
-----BEGIN CERTIFICATE-----
MIIEYjCCA8ugAwIBAgIJAOeye6l4UXxlMA0GCSqGSIb3DQEBBQUAMIHSMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ1QxEjAQBgNVBAcTCU5ld2luZ3RvbjEkMCIGA1UE
ChMbQW1lcmljYW4gUmFkaW8gUmVsYXkgTGVhZ3VlMR0wGwYDVQQLExRMb2dib29r
IG9mIHRoZSBXb3JsZDElMCMGA1UEAxMcTG9nYm9vayBvZiB0aGUgV29ybGQgUm9v
dCBDQTEYMBYGCgmSJomT8ixkARkWCGFycmwub3JnMRwwGgYJKoZIhvcNAQkBFg1s
b3R3QGFycmwub3JnMB4XDTEwMDkxNTE2MzExMloXDTIwMDkxMjE2MzExMlowgdIx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDVDESMBAGA1UEBxMJTmV3aW5ndG9uMSQw
IgYDVQQKExtBbWVyaWNhbiBSYWRpbyBSZWxheSBMZWFndWUxHTAbBgNVBAsTFExv
Z2Jvb2sgb2YgdGhlIFdvcmxkMSUwIwYDVQQDExxMb2dib29rIG9mIHRoZSBXb3Js
ZCBSb290IENBMRgwFgYKCZImiZPyLGQBGRYIYXJybC5vcmcxHDAaBgkqhkiG9w0B
CQEWDWxvdHdAYXJybC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKFx
Cm23xmeFUbbqOUMCCh1j0bhaGYkUM5fHKKFBvF9ubZzGIO5SxsCHeN0AX9YY4To3
/WyoUGx1kWyZD/jrFgEAv7QEPK0VtXdF0DBxZ+XY7mu5rPqaRL4pOkzgDr+MiJ2a
4wP4qfV8fiXY+/0iVh8HCMaVn6+Vo4X/MLqozFBTAgMBAAGjggE8MIIBODAdBgNV
HQ4EFgQUrgAMpIiDuZD1zTjM6FRo9EtUoewwggEHBgNVHSMEgf8wgfyAFK4ADKSI
g7mQ9c04zOhUaPRLVKHsoYHYpIHVMIHSMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
Q1QxEjAQBgNVBAcTCU5ld2luZ3RvbjEkMCIGA1UEChMbQW1lcmljYW4gUmFkaW8g
UmVsYXkgTGVhZ3VlMR0wGwYDVQQLExRMb2dib29rIG9mIHRoZSBXb3JsZDElMCMG
A1UEAxMcTG9nYm9vayBvZiB0aGUgV29ybGQgUm9vdCBDQTEYMBYGCgmSJomT8ixk
ARkWCGFycmwub3JnMRwwGgYJKoZIhvcNAQkBFg1sb3R3QGFycmwub3JnggkA57J7
qXhRfGUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAcKtvtMY25LzRI
qi9vHDaq4ADSSkxO+8gtbB1U0bK617boPohRMnzHdxqrJ54yZcbXs9NQpQ0r7eGF
oKyeaqNhsrkjdykYBYP7kDg3rQw98iBzRgJt6Y+k2x75lA6RJB7L5ibWifhzUYb6
Niescv0M3a3DPyn2YoDCJrh05IPI4A==
-----END CERTIFICATE-----

P.S. Please make sure your application allows, and can be configured
to request, eNULL cipher. This allows SSL authentication without
encryption, so it is legal for use over Part 97. In our area, some
igates connect over Part 97 wifi links. If the client does not request
eNULL cipher, aprsc will default to using encryption over SSL links.

https://github.com/hessu/aprsc/commit/1469230

Tom KD7LXL

On Wed, Sep 24, 2014 at 10:12 AM, Andrew P. <andrewemt-***@public.gmane.org> wrote:
> Greetings, all.
>
> I was working on implementing SSL support in my APRS application, and
> noticed that the APRS-IS servers identify themselves with certificates
> issued by someone other than any of the big Certificate Authorities. Where
> does one get the trusted root CA certificate for these servers? Is it
> available on a webpage somewhere (maybe where the server code is available)?
>
> Thanks in advance.
>
> Andrew Pavlin, KA2DDO
> author of YAAC
>
> _______________________________________________
> aprssig mailing list
> aprssig-***@public.gmane.org
> http://www.tapr.org/mailman/listinfo/aprssig
>