Using DoD Root Certificates with Git

Exploring GitHub Repositories | TechSlides

Git clients perform certificate verification whenever you interact with a remote repository over TLS. Since the Department of Defense (DoD) certificates are not in most mainstream operating systems, the validation fails. The quick and insecure solution is to disable certificate verification globally.

git config --global http.sslVerify false

Or you can also use the -c option, which allows you to pass a configuration parameter.

git -c http.sslVerify=false clone https://git.redacted.mil/dod/project-repo.git

Disabling certificate validation globally is the most insecure course of action and should be avoided. The second quick fix limits the risk to the cloned repository. Both choices are not best practices, and you should configure git to use the DoD root certificates.

I will demonstrate how to configure your Linux environment to work with DoD sites by starting with an example of the error message you receive when git encounters a self-signed certificate.

[mike@blue]$ git clone https://git.redacted.mil/dod/project-repo.git
Cloning into 'project-repo…
fatal: unable to access 'https://git.redacted.mil/dod/project-repo.git': SSL certificate problem: self signed certificate in certificate chain

Download and extract the DoD root certificates from the DISA website. If you are not an employee or contract worker for the DoD, you may not have access to these certificates. 

DODCERTS/
├── DOD ID SW CA-38.cer
├── DOD ID SW CA-45.cer
├── DOD ID SW CA-47.cer
├── DOD ID SW CA-48.cer
├── DOD ID SW CA-60.cer
├── DOD ID SW CA-61.cer
├── DoDRoot2.cer
├── DoDRoot3.cer
├── DoDRoot4.cer
├── DoDRoot5.cer
├── DOD SW CA-53.cer
├── DOD SW CA-54.cer
├── DOD SW CA-55.cer
├── DOD SW CA-56.cer
├── DOD SW CA-57.cer
└── DOD SW CA-58.cer

We only need DodRoot2, DodRoot3, DodRoot4, and DodRoot5. These certificates are in a binary format known as DER, so we will convert them to PEM, which is the format git is expecting. 

[mike@blue]$ for i in DoDRoot*.cer; do openssl x509 -inform der -in $i -out $i.pem; done

After using a loop and the openssl command to convert each certificate, we concatenate the PEM files into one file.

[mike@blue]$ cat DodRoot*.pem > dod-bundle.pem

Locate the ca-bundle.crt file on your system. I am using Fedora Linux and the ca-bundle is located at: /etc/pki/tls/certs/ca-bundle.crt

Once you have found the file, copy it to a local directory. I chose $HOME/.pki however, you can put it anywhere, make sure no unauthorized user has access to modify the file. Next, append the dod-bundle.pem to your local copy of the ca-bundle.crt and change the permissions on these files as well.

[mike@blue]$ mv dod-bundle.pem ~/.pki/
[mike@blue]$ cp /etc/pki/tls/certs/ca-bundle.crt ~/.pki/
[mike@blue]$ cd ~/.pki
[mike@blue]$ cat dod-bundle.pem >> ca-bundle.pem
[mike@blue]$ chmod 400 dod-bundle.pem
[mike@blue]$ cat dod-bundle.pem ca-bundle.pem > dod-ca-bundle.crt
[mike@blue]$ chmod 400 dod-ca-bundle.crt

Now to clone a DoD hosted repository, use the following command:

[mike@blue]$ GIT_SSL_CAINFO=~/.pki/dod-ca-bundle.crt git clone https://git.redacted.mil/dod/project-repo.git

To make this available for all repositories from the “git.redacted.mil” domain and avoid having to use the environment variable, we can edit our .gitconfig file and add the following contents:

[http "https://git.redacted.mil"]
sslCAInfo = /home/mike/.pki/dod-ca-bundle.crt
sslCAPath = /home/mike/.pki/
sslVerify = true

There should be no reason to disable SSL certificate verification globally. However, If you do not have access to the root CA or intermediate certificate(s), reach out to the IT support staff. If you must disable SSL verification, then I recommend you scope it to ONLY the repository for that project.

Thanks for reading.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: