Getting a Grid-Ireland Host Certificate

• Introduction
• Compatible Web Browsers
• Trusting the Grid-Ireland CA
• Getting a User Certificate
• Generating the Host Certificate Request with grid-cert-request
• Generating the Host Certificate Request with openssl
• Submitting the Host Certificate Request
• Getting a Requested Certificate
• Making a Backup
• Restoring a Backup

Introduction

Grid-Ireland uses a public key infrastructure for authentication of users, resources and services. According to the basics of public-key cryptography (or asymmetric cryptography), each user and resource on the Grid has a key pair, comprising a public and a private key. The public key is made public while the private key must be kept secret. Encryption and authentication is performed using the public key while decryption and digital signature is performed with the private key. It is important to notice that generating a key pair does not automatically provide access to the Grid resources. A Certificate Authority (CA), trusted by the users and resource owners, must first sign the key pair to confirm identity. This signing procedure of the CA is referred to as issuing a certificate. Even then this does not grant authority to access grid resources -- this requires authorization from the owner of each resource. A key pair simply allows authentication of identity.

Certificates issued by the Grid-Ireland CA are accepted in many European and international grid projects. As an accredited member of the European Policy Management Authority for Grid Authentication in e-Science the Grid-Ireland CA meets standards agreed with other CAs and with the relying parties.

Compatible Web Browsers

To apply for a certificate through the Grid-Ireland CA Public Server you need to run one of the following browsers.

• Mozilla 1.x or greater, including

  • Netscape 7
  • Firefox
  • Galeon
  • Epiphany

• Netscape Navigator 4.7 or 4.8

These browsers are available for download from their websites, and current versions are often included with Linux distributions. The Grid-Ireland Certification Authority does not support Microsoft Internet Explorer, Opera, Safari or any other browsers at this time.

Trusting the Grid-Ireland CA

The very first step in applying for Grid-Ireland certificate is to tell your browser that you want to trust the Grid-Ireland CA. To do this you must install the Grid-Ireland CA root certificate. On the CA Public Server page, follow the Get CA Certificate link. Your browser will ask you if you want to trust the Grid-Ireland Certification Authority. You should at least agree to trust the CA to identify web sites and you may also want to agree to trust the CA to identify people (software developers and email senders) although this is not required to access Grid-Ireland.

You can read about how the CA is operated in its Certificate Policy and Certification Practise Statement.

Getting a User Certificate

To apply for a host certificate it is necessary that you already hold a personal certificate. This allows us to authenticate the host certificate application. If you do not already have a user certificate please follow the instructions for getting a Grid-Ireland user certificate.

Generating the Certificate Request with grid-cert-request

Globus provides a utility called grid-cert-request to make host- and service-certificate requests. If you have Globus installed, this is the preferred way to make certificate requests.

To make a Grid-Ireland certificate request with grid-cert-request you must first install the Grid-Ireland CA local configuration. This is available in RPM and gzipped TAR format.

• Grid-Ireland CA local configuration RPM
• Grid-Ireland CA local configuration tarball

Start grid-cert-request:

    mkdir new-cert
    grid-cert-request -host hostname.domain -dir new-cert -nopw -int

The command should ask you to fill in some details for the cert:

    Country Name (IE) [IE]:
    Organization Name (Grid-Ireland) [Grid-Ireland]:
    Organizational Unit Name: Local DNS domain [cs.tcd.ie]: domain
    Locality: Registration Authority (RA-TCD | RA-NUIG | RA-UCC) [RA-TCD]:
    Common Name (Forename Surname | host/<FQDN> | <service>/<FQDN>) []: host/hostname.domain

Please follow the instructions below to determine the correct values for each field

Country

The two-letter code for the country in which your institution is situated. You must accept the default value "IE" for Irish institutions.

Organization Name

You must accept the default value "Grid-Ireland" for all Grid-Ireland certificates.

Organizational Unit

What is required here is the DNS domain name of the host in question. A host in the Computer Science department of the fictional Grid-Ireland University might have the hostname ldap.cs.giu.ie: in this case the Organizational Unit Name should be cs.giu.ie.

Registration Authority

You must choose the appropriate Registration Authority (RA) to approve the request. In general this should be the closest geographically.

Grid-Ireland currently has three RAs:

• RA-TCD: Trinity College Dublin

  • Dr Brian Coghlan
  • Dr David O'Callaghan

• RA-NUIG: National University of Ireland, Galway

  • Dr Andy Shearer

• RA-UCC: University College Cork

  • Dr John Morrison
  • Mr Brian Clayton

Due to technical difficulties or for other reasons not all of the Grid-Ireland RAs may be available at any one time. If your nearest RA is unavailable at present you can choose to wait until they become available again or you can choose another RA. Currently the status of the RAs is as follows:

• RA-TCD: Available
• RA-NUIG: Available
• RA-UCC: Available

Common Name

There are three choices here depending on the intended use of the certificate:

• host/hostname.domain: a Globus host certificate, possibly used for multiple services;
• service/hostname.domain (e.g. ldap/hostname.domain): a Globus service certificate, used only for a single specified service; and

grid-certificate-request will generate the private key (hostkey.pem) and the certificate request (hostcert_request.pem). Copy the certificate request file to the system on which you have a web browser with your personal Grid-Ireland certificate installed. Then you can proceed to submitting the host certificate request

Note: grid-certificate-request incorrectly suggests that you email the certificate request to the CA. Grid-Ireland will only accept certificate requests submitted online.

Generating the Certificate Request with openssl

It is also possible to generate a suitable certificate request using the OpenSSL command line tools directly. First, you must install the Grid-Ireland CA local configuration as described in the previous section.

Then, start openssl as follows:

    openssl req -config /etc/grid-security/globus-host-ssl.conf -new -nodes -keyout hostkey.pem -out hostcert_request.pem

First, it will generate the key pair and ask for a pass phrase for the private key:

    Generating a 1024 bit RSA private key
    ...................................++++++
    .++++++
    writing new private key to 'hostkey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
This passphrase must be removed later if the key is to be used unattended as a
Globus host certificate. Next you will be asked for the details of the
certificate. Using the instructions from the previous section, enter these
details:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (IE) [IE]:
    Organization Name (Grid-Ireland) [Grid-Ireland]:
    Organizational Unit Name: Local DNS domain [cs.tcd.ie]:domain
    Locality: Registration Authority (RA-TCD | RA-NUIG | RA-UCC) [RA-TCD]:
    Common Name (host/<FQDN> | <service>/<FQDN>) []:host/hostname.domain

Copy the certificate request file (hostcert_request.pem) to the system on which you have a web browser with your personal Grid-Ireland certificate installed. Then you can proceed to submitting the host certificate request

Submitting the Host Certificate Request

Once you have generated the certificate request you can use the Request Server or Service Certificate link on the CA Public Server page to submit the request. In order to submit the request you must have accepted the Grid-Ireland CA and have your user certificate installed in your browser.

One the Certificate Request form you will need to fill in the following details:

Request

Here you enter the path to the host certificate request (hostcert_request.pem) on the filesystem. You can use the browse button to locate this file.

Registration Authority

Choose the same RA as you specified when creating the request earlier.

Request Certificate Type

Choose "Server Certificate" if you you are requesting a certificate for "host/hostname.domain" or "hostname.domain" and choose "Service Certificate" if you are requesting a certificate for "service/hostname.domain" (e.g. "ldap/hostname.domain").

PIN

You must enter a 10-character code here. However, the PIN is currently not used in the certificate request process, so the code you enter does not need to be complex. asdfjk1234 or certpin000 would be fine. It is very important that you do not enter a valuable password such as the password for your email account or the root or administrator account on your computer.

Once these details have been entered you can click Continue....

Check Your Details

On the next page you will be asked to check the certificate details. Confirm that the details are correct then click Continue... to submit the request. You will see a "Thank You" page which confirms that your certificate request has been received. This page links to the pending requests list and your new request should be visible here.

Getting a Requested Certificate

When your certificate request has been approved by the RA and the certificate issued by the CA, the CA will send an email to inform you. The email will contain one vital piece of information about your certificate: the serial number, which is a four-digit hexadecimal code that uniquely identifies your certificate in the Grid-Ireland CA records. Using the same web browser you used to request your certificate, follow the Get Requested Certificates link on the CA Public Server page. On that page, enter the serial number shown in the email (letters should be in upper case), select "Download Server or Service Certificate to PEM File" and click "Continue" to download the certificate. You should save this as hostcert.pem.

This file can then be copied back to the appropriate host and installed as /etc/grid-security/hostcert.pem.

Making a backup

openssl pkcs12 -export -in hostcert.pem -inkey hostkey.pem -out <hostname>.p12 -name mykey -passout "pass:<password>"

Restoring a backup

openssl pkcs12 -in <hostname>.p12 -out hostcert.pem -clcerts -nokeys
openssl pkcs12 -in <hostname>.p12 -out hostkey.pem -nocerts -nodes
chmod 0444 hostcert.pem
chmod 0400 hostkey.pem

The Grid-Ireland website is hosted on cagraidsvr06.cs.tcd.ie in the Department of Computer Science, Trinity College Dublin.