Difference between revisions of "Grid Certificate"

From GridPP Wiki
Jump to: navigation, search
(Delete reference to hostcerts having email addresses in.)
(Delete instruction referring to old web interface for getting host certs)
Line 22: Line 22:
  
 
N.B. A machine certificate has a common name (CN) which contains the hostname e.g., <tt>CN=grid07.ph.gla.ac.uk</tt>. A personal certificate has the common name of the user, e.g., <tt>CN=graeme stewart</tt>.
 
N.B. A machine certificate has a common name (CN) which contains the hostname e.g., <tt>CN=grid07.ph.gla.ac.uk</tt>. A personal certificate has the common name of the user, e.g., <tt>CN=graeme stewart</tt>.
 
N.B. When requesting a server certificate for use within LCG ''do not'' select a Service Type (this is for Globus middleware only). Leave this as <tt>"none"</tt>. These globus certificates can be identified because they have the service type in front of the hostname, e.g., <tt>CN=host/grid07.ph.gla.ac.uk/Email=g.stewart@physics.gla.ac.uk</tt>.
 
  
 
==Converting a Certificate back into P12 Form==
 
==Converting a Certificate back into P12 Form==

Revision as of 16:48, 27 February 2015

Certificate Overview

The gLite User Guide describes how certificates are used in the grid middle-ware.

Certificate Juju

A few notes about doing stuff with/to certificates:

Unpacking a host certificate (from the exported/backed up .pfx/.p12 file you got from the CA)

Do this in /etc/grid-security

 # openssl pkcs12 -clcerts -nodes -in <CERT> -out hostkey.pem
 # chmod 400 hostkey.pem
 # openssl pkcs12 -clcerts -nokeys -in <CERT> -out hostcert.pem
 # chmod 444 hostcert.pem

Checking a host certificate

 # openssl x509 -in <CERT> -noout -text

N.B. A machine certificate has a common name (CN) which contains the hostname e.g., CN=grid07.ph.gla.ac.uk. A personal certificate has the common name of the user, e.g., CN=graeme stewart.

Converting a Certificate back into P12 Form

To renew a certificate you need to have it loaded into your browser. If you no longer have the host certificate loaded, then you can convert the X509 hostkey/cert pair back into PKCS12 format using this openssl command:

 openssl pkcs12 -export -in hostcert.pem -inkey hostkey.pem -out bundle.p12

You can add a passphrase if necessary. (Or add the option -passout pass: to suppress the passphrase dialogue.)

Private Key

The CA permits (or will permit shortly) three different types of private keys.

  1. Encrypted software keys (encrypted with a "strong" passphrase) - used for user keys. Proxies are used to "unlock" the key over a period of time.
  2. Unencrypted software keys - normally used for host keys, or for "softkey" robot certificates. As the key (file) itself is not protected by a passphrase, it must have other means of preventing being stolen or otherwise used in an unauthorised way.
  3. KeyTokens, a hardware module which protects the private key from theft.

This page is a Key Document, and is the responsibility of Rob Harper. It was last reviewed on 2014-04-29 when it was considered to be 90% complete. It was last judged to be accurate on 2014-04-29.