CSAIL Web Certificates

CSAIL Web Certificates allow your browser to prove your identity to secure CSAIL websites. They expire a year after you obtain them, or earlier if your account expires earlier. You must have an active CSAIL account before you can obtain certificates. Just as CSAIL accounts are distinct from MIT/Athena accounts, CSAIL certificates are distinct from MIT certificates.

Obtaining Certificates

Please follow directions for your browser, if it is listed below:

• Mozilla Firefox -- CSAIL recommended
• Apple Safari
• Internet Explorer - No native certificate enrollment support; must utilize Firefox to import certificates.
• Google Chrome - Certificate enrollment support is broken by design; must use another browser (Firefox or Apple Safari) to generate certificates, then import into the "native" certificate store for your operating system.
• iOS

Only if your browser does not appear above, you may try these generic directions:

1. Install our authority certificate, master.cer
   • This "Master CA" lets your browser recognize and trust secure CSAIL websites.
2. Request a CSAIL client certificate for your browser
3. Back up your certificate (optional)
   • If you expect to encrypt or sign mail and documents with your certificate, you may wish to export it and store it somewhere safe.

Testing Certificates

You can visit https://inquir.csail.mit.edu/cgi-bin/check-certificate to check the client certificate your browser is presenting to CSAIL Web servers. If your certificate is valid, this page will display information about it.

Common issues

• ssl_error_expired_cert_alert or other "your certificate has expired" errors
  • Obtain new certificates (see above). It may be necessary to delete personal certificates, or to restart your browser, before they will function properly.

For other known issues, see browser-specific pages (at top).

Verifying the validity of the authority certificates

There is a printed copy of the Master CA certificate available for your inspection at the TIG Help Desk (32-276). For convenience, the certificate checksums are also given below (but you should not trust this server any more than another):

  SHA-1: 02:6A:27:D6:0C:97:11:A4:72:66:80:4B:09:38:9F:2D:3D:99:4D:DF
    MD5: 13:81:2D:FA:34:41:CC:CA:BF:D1:85:91:91:63:CE:A7