Difference between revisions of "Grid Certificate"
(Delete instruction referring to old web interface for getting host certs) |
(Remove another reference to the old CA web interface, add links to new tools.) |
||
Line 3: | Line 3: | ||
The [https://edms.cern.ch/file/722398/1.4/gLite-3-UserGuide.pdf gLite User Guide] describes how certificates are used in the grid middle-ware. | The [https://edms.cern.ch/file/722398/1.4/gLite-3-UserGuide.pdf gLite User Guide] describes how certificates are used in the grid middle-ware. | ||
+ | Most certificate applications and renewals should be carried out using the [http://www.ngs.ac.uk/ukca/certificates/certwizard UK e-Science CA's 'CertWizard'] tool. | ||
+ | |||
+ | Systems administrators may also be interested in the commandline [https://github.com/sfayer/cert_sorcerer CertSorcerer] tool. | ||
= Certificate Juju = | = Certificate Juju = | ||
− | |||
A few notes about doing stuff with/to certificates: | A few notes about doing stuff with/to certificates: | ||
Line 24: | Line 26: | ||
==Converting a Certificate back into P12 Form== | ==Converting a Certificate back into P12 Form== | ||
− | |||
− | |||
openssl pkcs12 -export -in hostcert.pem -inkey hostkey.pem -out bundle.p12 | openssl pkcs12 -export -in hostcert.pem -inkey hostkey.pem -out bundle.p12 |
Revision as of 16:54, 27 February 2015
Contents
Certificate Overview
The gLite User Guide describes how certificates are used in the grid middle-ware.
Most certificate applications and renewals should be carried out using the UK e-Science CA's 'CertWizard' tool.
Systems administrators may also be interested in the commandline CertSorcerer tool.
Certificate Juju
A few notes about doing stuff with/to certificates:
Unpacking a host certificate (from the exported/backed up .pfx/.p12 file you got from the CA)
Do this in /etc/grid-security
# openssl pkcs12 -clcerts -nodes -in <CERT> -out hostkey.pem # chmod 400 hostkey.pem # openssl pkcs12 -clcerts -nokeys -in <CERT> -out hostcert.pem # chmod 444 hostcert.pem
Checking a host certificate
# openssl x509 -in <CERT> -noout -text
N.B. A machine certificate has a common name (CN) which contains the hostname e.g., CN=grid07.ph.gla.ac.uk. A personal certificate has the common name of the user, e.g., CN=graeme stewart.
Converting a Certificate back into P12 Form
openssl pkcs12 -export -in hostcert.pem -inkey hostkey.pem -out bundle.p12
You can add a passphrase if necessary. (Or add the option -passout pass: to suppress the passphrase dialogue.)
Private Key
The CA permits (or will permit shortly) three different types of private keys.
- Encrypted software keys (encrypted with a "strong" passphrase) - used for user keys. Proxies are used to "unlock" the key over a period of time.
- Unencrypted software keys - normally used for host keys, or for "softkey" robot certificates. As the key (file) itself is not protected by a passphrase, it must have other means of preventing being stolen or otherwise used in an unauthorised way.
- KeyTokens, a hardware module which protects the private key from theft.
This page is a Key Document, and is the responsibility of Rob Harper. It was last reviewed on 2014-04-29 when it was considered to be 90% complete. It was last judged to be accurate on 2014-04-29.