Difference between revisions of "Grid Certificate"
(Delete reference to hostcerts having email addresses in.) |
(Delete instruction referring to old web interface for getting host certs) |
||
Line 22: | Line 22: | ||
N.B. A machine certificate has a common name (CN) which contains the hostname e.g., <tt>CN=grid07.ph.gla.ac.uk</tt>. A personal certificate has the common name of the user, e.g., <tt>CN=graeme stewart</tt>. | N.B. A machine certificate has a common name (CN) which contains the hostname e.g., <tt>CN=grid07.ph.gla.ac.uk</tt>. A personal certificate has the common name of the user, e.g., <tt>CN=graeme stewart</tt>. | ||
− | |||
− | |||
==Converting a Certificate back into P12 Form== | ==Converting a Certificate back into P12 Form== |
Revision as of 16:48, 27 February 2015
Contents
Certificate Overview
The gLite User Guide describes how certificates are used in the grid middle-ware.
Certificate Juju
A few notes about doing stuff with/to certificates:
Unpacking a host certificate (from the exported/backed up .pfx/.p12 file you got from the CA)
Do this in /etc/grid-security
# openssl pkcs12 -clcerts -nodes -in <CERT> -out hostkey.pem # chmod 400 hostkey.pem # openssl pkcs12 -clcerts -nokeys -in <CERT> -out hostcert.pem # chmod 444 hostcert.pem
Checking a host certificate
# openssl x509 -in <CERT> -noout -text
N.B. A machine certificate has a common name (CN) which contains the hostname e.g., CN=grid07.ph.gla.ac.uk. A personal certificate has the common name of the user, e.g., CN=graeme stewart.
Converting a Certificate back into P12 Form
To renew a certificate you need to have it loaded into your browser. If you no longer have the host certificate loaded, then you can convert the X509 hostkey/cert pair back into PKCS12 format using this openssl command:
openssl pkcs12 -export -in hostcert.pem -inkey hostkey.pem -out bundle.p12
You can add a passphrase if necessary. (Or add the option -passout pass: to suppress the passphrase dialogue.)
Private Key
The CA permits (or will permit shortly) three different types of private keys.
- Encrypted software keys (encrypted with a "strong" passphrase) - used for user keys. Proxies are used to "unlock" the key over a period of time.
- Unencrypted software keys - normally used for host keys, or for "softkey" robot certificates. As the key (file) itself is not protected by a passphrase, it must have other means of preventing being stolen or otherwise used in an unauthorised way.
- KeyTokens, a hardware module which protects the private key from theft.
This page is a Key Document, and is the responsibility of Rob Harper. It was last reviewed on 2014-04-29 when it was considered to be 90% complete. It was last judged to be accurate on 2014-04-29.