Grid Certificate

From GridPP Wiki
Jump to: navigation, search

Certificate Overview

The gLite User Guide describes how certificates are used in the grid middle-ware.

Certificate Juju

A few notes about doing stuff with/to certificates:

Unpacking a host certificate (from the exported/backed up .pfx/.p12 file you got from the CA)

Do this in /etc/grid-security 

 # openssl pkcs12 -clcerts -nodes -in <CERT> -out hostkey.pem
 # chmod 400 hostkey.pem
 # openssl pkcs12 -clcerts -nokeys -in <CERT> -out hostcert.pem
 # chmod 444 hostcert.pem

Checking a host certificate

 # openssl x509 -in <CERT> -noout -text

N.B. A machine certificate has a common name (CN) which contains the hostname and the email of the certificate requester, e.g., CN=grid07.ph.gla.ac.uk/Email=g.stewart@physics.gla.ac.uk. A personal certificate has the common name of the user, e.g., CN=graeme stewart.

N.B. When requesting a server certificate for use within LCG do not select a Service Type (this is for Globus middleware only). Leave this as "none". These globus certificates can be identified because they have the service type in front of the hostname, e.g., CN=host/grid07.ph.gla.ac.uk/Email=g.stewart@physics.gla.ac.uk.

Converting a Certificate back into P12 Form

To renew a certificate you need to have it loaded into your browser. If you no longer have the host certificate loaded, then you can convert the X509 hostkey/cert pair back into PKCS12 format using this openssl command: 

 openssl pkcs12 -export -in hostcert.pem -inkey hostkey.pem -out bundle.p12

You can add a passphrase if necessary. (Or add the option -passout pass: to suppress the passphrase dialogue.)

Private Key

The CA permits (or will permit shortly) three different types of private keys.

  1. Encrypted software keys (encrypted with a "strong" passphrase) - used for user keys. Proxies are used to "unlock" the key over a period of time.
  2. Unencrypted software keys - normally used for host keys, or for "softkey" robot certificates. As the key (file) itself is not protected by a passphrase, it must have other means of preventing being stolen or otherwise used in an unauthorised way.
  3. KeyTokens, a hardware module which protects the private key from theft.

This page is a Key Document, and is the responsibility of Rob Harper. It was last reviewed on 2014-04-29 when it was considered to be 90% complete. It was last judged to be accurate on 2014-04-29.

Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=Grid_Certificate&oldid=7657"