Usage Policy for Sphinx CA signing certificate

Sphinx CA signing certificate:

serial = 1C
subject = /DC=net/DC=ES/OU=Certificate Authorities/CN=sphinx.nersc.gov

Certificate Policy Statement:

• The Sphinx CA certificate will only be used to sign short lived end entity user certificates.
• The Sphinx CA certificate will only be used to sign certificates for authorized NERSC users.
• Certificates signed by this CA will have a persistent and unique Distinguished Name for a given user.
• The DN for a user certificate will always be linked to one and only one individual user.
• Users must authenticate to the CA service in a secure manner before they will be issued a certificate.
• Certificates issued by this service will have a maximum lifetime of 7 days.
• Certificates issued by the Sphinx CA will be of the form:

  /DC=gov/DC=nersc/OU=People/CN=*

Implementation Notes and Practices:

• The Certificate Authority, and the associated signing certificate will reside on the host "sphinx1.nersc.gov".
• NERSC will use a MyProxy based service to generate short lived user certificates in real time (It will be a live Online CA service).
• Users will authenticate to the MyProxy service using a secure channel (SSL) and submit their authentication token to the service.
• The MyProxy service will use PAM to authenticate the users.
• Authentication tokens will either be a NERSC One Time Password token, or a NERSC LDAP username/password combination.
• Upon authentication the credential service creates a new short lived GSI credential for the given user. It issues a certificate with a persistent (DN will always be the same for a given user across multiple logins) and unique (DN will always be unique for any given user) DN.
• Certificates are only issued to valid NERSC users. A user must have a valid NERSC login, and an associated password in the NIM-LDAP database, or a valid NERSC One Time Password token.

Contacts: