Grid Certification
Table of contents
GENERAL
Participating in national and international grid projects require specific resources (e.g. servers) and a user “EUGridPMA-komforme” certificate. Grid certificates can be issued only by an accredited in EUGridPMA Certification Authority (CA). EUGridPMA stands for European Policy Management Authority for Grid Authentication in e-Science (EuroGridPMA).
The CA "DFN-Verein PCA Grid" provides “EUGridPMA-komforme” certificates for servers and users of grid projects.
To obtain an electronic certificate, the user must identify his/herself in person and be able to provide official identification. To simplify this tedious procedure, the so-called Registration Authorities (RA) were launched. They are recognized by a CA and take care of verifying identity. Certificate Applications are digitally signed by them and forwarded to the issuance department at the CA.
Since March of 2008, The ZIH Dresden University of Technology participates as the CA "DFN PCA Grid" and operates a Grid Registration Authority (Grid RA) for certificate requests. User and sever-certificates (for resources) can be requested via the Grid RA.
The application for both user and server-certificates consists of the following steps:
- Generating a certificate request
- Personal presentation at the Grid RA at ZIH (Appearing in person at the Grid RA)
- Receipt of the certificate
The following values must be inserted within the certificate request:
|
Attribute |
Values for User-Certificates |
Values for Server-Certificates |
|
C |
DE |
DE |
|
O |
Grid Germany |
Grid Germany |
|
OU |
Technical University Dresden |
Technical University Dresden |
|
CN |
First name, last name |
Name of the server as it is registered in DNS. |
GENERATING A CERTIFICATE REQUEST
User-certificates
User-certificates may be requested on the website of the TU Dresden Grid RA. Here are ways to apply for a user-certificate:
1. Via the web interface of the TU Dresden Grid RA
The user-certificate can be generated directly from the web interface. Please note if you generate a certificate using the Web interface, the pair of keys is stored in the browser. Go to the website of the TU Dresden Grid RA (under Certificates -> user certificate) and fill in the necessary data. You will then receive confirmation by an HTML page that is a form with required data. The form is your certificate request, which you can print.
2. Generate the certificate with OpenSSL
The command,
openssl req -new -newkey rsa:2048 -sha1 -out usercert_request.pem
produces the pair of private (privkey.pem) and public keys (certificate application certreq.pem).
In an interactive dialogue, you are asked for the various data of your certificate:
- Password that protects your certificate (at least 8 characters: Mixture of letters, special characters and numbers)
- Country Name: DE
- Organization: Grid Germany
- Organizational Unit: your device (for the TU Dresden: Technische Universitaet Dresden)
- Name (eg, John M. Smith): Your full name (without umlauts / special characters!)
Here's an example:
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GridGermany
Organizational Unit Name (eg, section) []:Technische Universitaet Dresden
Common Name (eg, YOUR name) []:Johann Sebastian Bach
Email Address []: jbach@tu-dresden.de
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
You can check the data in the certificate request with:
openssl req -in usercert_request.pem –text
Download your certificate application (usercert_request.pem) via the website of the TU Dresden Grid RA (under Certificates -> Serverzertifikat-> Selecting the user certificate profile) and fill in all the details. You will then receive confirmation by an HTML page with the required data. This form is your certificate request. Please print.
3. Generate your certificate with Globus
Globus provides a more user-friendly tool. Use this cue:
grid-cert-request -int
In an interactive dialogue you are asked for the various data of your certificate:
- Password that protects your certificate (at least 8 characters: Mixture of letters, special characters and numbers)
- This password you always need the "login" into the grid.
- Country Name: DE
- Organization: GridGermany
- Organizational Unit: your device (for the TU Dresden: Technische Universitaet Dresden)
- Name (eg, John M. Smith): Your full name (without umlauts / special characters!)
In some installations you the correct values are set already by default.
In Directory .globus, your home directory, you will now find three files:
- Your personal key userkey.pem
- Your certificate application usercert_request.pem, and
- Your blank certificate file usercert.pem, into which globus copies and completes it completely so that globus can use it.
Download your Certificate Application (usercert_request.pem) onto the website of the TU Dresden Grid RA (under Certificates -> Serverzertifikat-> Selecting the user certificate profile) and fill in all details. You will then receive confirmation by an HTML page as a form with the required data. The form is your certificate request. Please print.
Server-Certificates
Server certificates may be requested on the website of the TU Dresden Grid RA. However, the certificate cannot be generated directly in the browser. Here are ways to apply for a server certificate:
1. Generate the certificate with OpenSSL
Generate the private key (without password) by typing:
openssl genrsa -out hostkey.pem 2048
and then the certificate request with:
openssl req -new -newkey rsa:2048 -sha1 -key hostkey.pem -out servercert_request.pem
As the Name, enter the full server name (e.g. maschine.tu-dresden.de)
Here's an example:
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GridGermany
Organizational Unit Name (eg, section) []:Technische Universitaet Dresden
Common Name (eg, YOUR name) []:mymachine.zih.tu-dresden.de
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
You can check the data in your certificate request with:
openssl req -in servercert_request.pem -text
Download your Certificate Application (servercert_request.pem) on the website of the TU Dresden Grid RA and fill in the necessary information. You will then receive confirmation by an HTML page as a form with the required data. The form is your certificate request. Please print.
2. Generate a certificate with Globus
Use this command:
grid-cert-request -int -dir . -host server.tu-dresden.de
As the “Name”, enter the full server name (e.g. server.tu-dresden.de)
Three files, hostcert.pem, hostkey.pem and hostcert_request.pem will be created in your directory. The latter is what is to be sent to the RA Certificate Application.
Download your certificate application (hostcert_request.pem) to the website of the TU Dresden Grid RA and fill in the necessary information. You will then receive confirmation by an HTML page as a form with the required data. The form is your certificate request. Please print.
PERSONAL APPEARANCE AT THE GRID RA (ZIH)
With a copy of an official I.D. or passport and the completed certificate request, please appear in person at the service desk of the TU Dresden.
RECEIPT OF THE CERTIFICATE
The Grid RA signs the submitted certificate sends it on to the final signing of the CA. Then a final certificate is sent to you that you can use for authentication on the grid immediately.
FURTHER INFORMATION
Detailed information on the certification or on the process of obtaining certificates can be found at the DFN PKI. There you will find the CA Policies and the appropriate CRLs.