Certificate Overview

The gLite User Guide describes how certificates are used in the grid middle-ware.

Many certificate applications and renewals can be carried out using the UK e-Science CA's 'CertWizard' tool (in Java); there is also a CA portal which uses javascript; it requires that the generated private key be stored in a file until the certificate is issued and they can be recombined and saved as PKCS#12.

There is also the 'PeCR' bulk system, which you can use to make requests for multiple certificates from the command line. It also supports SubjectAltName.

Systems administrators may also be interested in the commandline CertSorcerer tool.

Certificate Juju

A few notes about doing stuff with/to certificates:

Unpacking a host certificate (from the exported/backed up .pfx/.p12 file you got from the CA)

Do this in /etc/grid-security

 # openssl pkcs12 -nocerts -nodes -in <CERT> -out hostkey.pem
 # chmod 400 hostkey.pem
 # openssl pkcs12 -clcerts -nokeys -in <CERT> -out hostcert.pem
 # chmod 444 hostcert.pem

Checking a host certificate

 # openssl x509 -in <CERT> -noout -text

N.B. A machine certificate has a common name (CN) which contains the hostname e.g., CN=grid07.ph.gla.ac.uk. A personal certificate has the common name of the user, e.g., CN=graeme stewart.

See also Subject Alternative Name for host certificates.

Converting a Certificate back into P12 Form

 openssl pkcs12 -export -in hostcert.pem -inkey hostkey.pem -out bundle.p12

You can add a passphrase if necessary. (Or add the option -passout pass: to suppress the passphrase dialogue.)

Private Key

The CA permits (or will permit shortly) three different types of private keys.

1. Encrypted software keys (encrypted with a "strong" passphrase) - used for user keys. Proxies are used to "unlock" the key over a period of time.
2. Unencrypted software keys - normally used for host keys, or for "softkey" robot certificates. As the key (file) itself is not protected by a passphrase, it must have other means of preventing being stolen or otherwise used in an unauthorised way.
3. KeyTokens, a hardware module which protects the private key from theft.

Sending mail with a certificate

Normally you can use your MUA to sign mail (with your private key) so that the recipient can verify the signature with your certificate. This provides (1) integrity protection and (2) sender origin authentication. This normally works only with a personal certificate (or robot), which have email addresses in them.

However, there are two use cases for sending email on the command line. One is sending automated messages with a robot certificate which are signed with the robot certificate. The other is that your certificate has expired, and you cannot use CertWizard for some reason, so you need to send a signed PIN to the CA to renew the certificate.

Assuming that your unsigned message is in msg.txt, and your cert/key are in usercert.pem and userkey.pem respectively,

 openssl smime -sign -in msg.txt -inkey userkey.pem -signer usercert.pem -to joe@example.com \
 -from me@example.com -subject "signed mail"|sendmail -t

This setup assumes that your local MTA provides a sendmail interface. Obviously you should alter the email addresses accordingly, and the linebreak is for readabililty.