Certificates

From GridPP Wiki
Jump to: navigation, search

Crash course in Certificates

Certificates identify hosts and people to each other. To access the Grid you need a personal certificate that identifies yourself, and all the resources that you access need host certificates. We also have more detailed and technical information about Host Certificates.

Certificates are issued to resources in the UK by the UK e-Science CA. If people or hosts outside the UK need certificates, they should normally go to their national Grid CA.

A certificate is useless without the corresponding private key. For personal certificates, the corresponding private key must be protected with a passphrase at all times, but for server certificates, it is sufficient that the key is readable only by root.

One of the components of a certificate is the Distinguished Name, or DN. A DN from the UK e-Science CA typically looks like this: 

/C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens g jensen

Or, for host certificates, 

/C=UK/O=eScience/OU=Manchester/L=HEP/CN=www.gridsite.org/emailAddress=hostmaster@hep.man.ac.uk

Note that the CN (Common Name) identifies the person by name, or the host by fully qualified domain name. Some tools display "Email=" or "E=" instead of "emailAddress" but it is still the same certificate. Worse yet, some tools (such as browsers) slice the DN up into components, or display it backwards (ending with UK=) separated by commas. These are all different text representations of the same DN.

Finally, notice that service certificates have the name of a service embedded in the CN, e.g. 

CN=ldap/wombat.esc.rl.ac.uk

This is a Globus security way of saying "if you see this certificate and you are talking to wombat.esc.rl.ac.uk, you should really be talking to an LDAP server". This type of certificates aren't understood by non-Globus services, so you shouldn't request them for those services.

To use your personal certificates, the certificate and key must be installed in the following location: ~/.globus/usercert.pem and ~/.globus/userkey.pem. If your key is held in a browser, you need to export and convert it first. Consult the CA's documentation to see how to do it for Firefox and MSIE.

Proxies

A proxy in this context is a Globus security invention, but proxy certificates are now an IETF standard, RFC 3820.

Basically, it is a short-lived certificate which is issued by your personal certificate (i.e. signed with your private key). The proxy also contains an unprotected private key. More precisely, the key is not protected by a passphrase, but it is stored in a file that is readable only by you (and root).

If your system is set up correctly, type the following to get a proxy: 

grid-proxy-init

If it works, it should ask you for the passphrase of your private key. By default, it will generate a proxy with a lifetime of twelve hours. To see how long your proxy is valid, type 

grid-proxy-info

If it says that it cannot find the proxy, or the validity is zero, then you either don't have a proxy or it has expired.

When you're done, you should destroy the proxy: 

grid-proxy-destroy

What next?

If you want to know more, then go to the CA's documentation and see if you can find it there. If not, please submit your question as a query to the Grid Support centre.

There is also useful user documentation in LCG's certificates page and more user and proxy information in the excellent User Guide.

Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=Certificates&oldid=967"