All CSC and ACSS facilities that require users to provide their Kerberos passwords are set up over secure TLS/SSL encrypted channels. Examples of such facilities are web-pages using the https protocol, 802.1x authentication for wired or wireless networks, ssh logins, VPN connections, email access through imaps and SASL authentication for smtp.
Setting up of encrypted TLS/SSL connections require the server to present SSL certificates to the client, so that the client may authenticate the server. This is to prevent against possible man in the middle attacks. Please note that accepting a server certificate without verifying its authenticity makes an user vulnerable to attacks.
IITD uses self-signed certificates for some servcies whereas it uses Letsencrypt Certficates from Wifi/Mail services (see https://letsencrypt.org/). Wifi/802.1x Network access as well as Mail clients and web browsers may ask to examine and accept these certificates every time on start up. The users are requested not to make it a practice of accepting such certificates. Instead, the users may download the IITD CA certificate and install it as a valid CA (certificate authority). The CA certificate can be installed through the Preferences->Advanced->Certificates tabs. You may require the IITD CA Certificate in DER format for some systems.
In most operating systems & browsers the letsencrypt X3 CA should be already available.if required you may download and install Let’s Encrypt Authority X3 (IdenTrust cross-signed): [pem] [der] or from here Letsencrypt X3 Intermediate certificate.
Please see HowTo: Import the CAcert Root Certificate into Client Software for details (follow the procedure outlined in this link, but use Letsencryp X3/IITD's CA certificate instead of CAcert's).
Please verify the SHA1 and MD5 fingerprints of the IITD CA certificate before installing: