Introduction
Getting a host/service certificate involves using
OpenSSL to generate a certificate request and a private key which you
then provide to DOEGrids via its website. You will need to
protect your private key from access by other users.
DOEGrids will generate a certificate and ... If the certificate is for
a service, you will need to import the certificate into your service
application and configure it; these steps are application-dependent. If
it is for a host, instructions are provided in the
OSG CE Install Guide.
Get Certificates for Grid Host/Services using Globus Toolkit (Linux)
Instructions for participants in FermiGrid are available in the
FermiGrid User Install Guide and
the FermiGrid Administration Guide.
Instructions for participants in Open Science Grid are available in the
OSG CE Install Guide.
In particular, see the section Configure the Public Key Infrastructure.
These instructions assume that the OSG CE package (based on the Virtual
Data Toolkit, VDT) is installed on your machine. The only required
package for getting host/service certificates, however, is the Globus
Toolkit, which is packaged with VDT.
 See
the Fermilab Grid Access Control Policy.
Get Certificates for Web Host/Services (UNIX/Linux and Windows)
In order to request a web
host certificate from the DOEGrids CA, a certificate request must be
generated using a recent version of OpenSSL. Version 0.9.7a or later of
OpenSSL are known to work successfully with DOEGrids.
OpenSSL is already
available in Fermi Linux. In Linux, the OpenSSL version can be checked
with the command:
openssl version
If OpenSSL is not
installed on your system, use "yum
install openssl" to do so.
For Microsoft Windows, a
command-line version of OpenSSL is available in any of a few ways:
- As part of Cygwin,
if you have installed the cygwin tools and specified inclusion of OpenSSL.
- As part of the Windows
KCA and command line Kerberos utilities, Get Cert
- As part of the Fermi
Kerberos Client-only for Windows/Cygwin, which can be found at: ftp://ftp.fnal.gov/pub/fnal-kerberos-clientonly/current/FNAL-kerberos-clientonly-cygwin.zip
- Install a native
OpenSSL command-line utility for Windows, which can be downloaded from: Win32 OpenSSL (Shining Light Productions)
or from the local Security Tools repository at Native OpenSSL
for Windows
For options 2 and 3, you
will need to modify the PATH system environment variable to add the
directory with the tools and libraries to the search path for commands.
In all cases, for both
Windows and Linux (the remainder of the instructions are
OS-independent), you will also need a configuration file to be passed
to the OpenSSL command. One of several versions of this text file can
be downloaded for this purpose (configuration files for hosts
with 2 or more DNS names were modified on October 9, 2007 as the
DOEGrids CA no longer accepts requests with multiple Common Names (CNs)
in the Distringuished Name so now a single CN with a regular expression must be used for multi-homed systems):
Now you're ready to run the openssl command to generate the
certificate request. We'll assume that the configuration file is named
doegrids-host-ssl.conf, and that it's in the current directory (from
which you'll execute the command), and that your fully-qualified domain
name is nonesuch.fnal.gov. To generate a
certificate request given these specifics, the OpenSSL command would
look like:
openssl req -new -keyout nonesuch.key -nodes -out nonesuch.req
-config doegrids-host-ssl.conf
This command writes the
certificate request to the file nonesuch.req
in the current directory. It also writes the private key into the file nonesuch.key.
Save
the .req file so that you can reuse it when your first certificate
expires and it's time to request a new host/service cert. Currently
these certificates are not renewable.
 You MUST protect the private key (e.g., nonesuch.key) from access by other users. We recommend
that you copy the file to a floppy or other storage device which you store in a safe and secure
place, and then delete the file from your computer.
Here is an example of the
screen output generated by this command:
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........++++++
....++++++
writing new private key to 'nonesuch.key'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 DomainComponent [org]:
Level 1 DomainComponent [doegrids]:
Level 0 DomainComponent [org]:
Level 1 DomainComponent [doegrids]:
Certificate category [Services]:
Name (e.g., foo.bar.com) []:nonesuch.fnal.gov
You MUST
select the default by pressing Enter
in response to all the
prompts except for the Name
prompt where you enter the fully-qualified domain node name (nonesuch.fnal.gov
in this example). You will also want to print to screen the generated
certificate request (e.g., nonesuch.req) using the command:
openssl req -text -in nonesuch.req
or open it in a text editor in order to verify that
the Subject
is correct and then to select the
Base64-encoded certificate
request that is between the BEGIN
CERTIFICATE and END
CERTIFICATE lines for copying.
Be sure to include the BEGIN
CERTIFICATE and END
CERTIFICATE lines in the copied
text..
Certificate Request:
Data:
Version: 0 (0x0)
Subject: DC=org, DC=doegrids, OU=Services, CN=nonesuch.fnal.gov
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b8:39:e1:13:af:8c:98:23:5f:88:ca:13:48:06:
31:f8:93:e6:df:0c:d4:4c:c4:a6:1c:0f:d0:4f:92:
69:d7:64:31:46:36:47:36:66:a0:b4:fc:e0:91:3f:
53:af:5f:32:ed:c4:36:1d:4e:ef:da:25:36:6b:a0:
92:f6:60:65:4b:5e:4a:ef:fb:16:d8:a8:11:f1:2b:
3d:a0:fe:56:99:34:b1:83:d5:24:b6:46:b2:d1:96:
3b:c2:1b:e5:47:75:ff:1a:c2:3d:3a:9f:fb:42:c6:
cf:b4:f4:e2:fa:f0:94:a4:af:87:13:4b:b8:a4:61:
aa:93:0c:71:59:7f:31:b6:e7
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
05:f0:a8:97:f1:29:44:40:03:14:6a:0b:97:b6:63:87:84:7b:
c2:11:da:d0:7a:1d:3f:f1:d2:3e:6c:7d:13:98:1f:91:e0:fa:
ce:08:c4:3e:d4:04:20:79:9d:81:a8:5c:cb:a5:1c:56:b7:09:
ed:aa:1b:63:6e:2a:23:57:38:01:0d:b2:28:ea:41:32:9f:29:
16:27:49:2b:68:0c:27:9b:25:71:53:0e:35:16:e0:be:29:35:
8e:f5:45:97:d5:91:b8:8b:83:3e:73:ae:8b:f7:b5:f0:8a:8f:
39:6d:1b:04:a7:94:dd:cd:8c:20:73:1d:d3:2c:74:c9:0c:cb:
de:d8
-----BEGIN CERTIFICATE REQUEST-----
MIIBnjCCAQcCAQAwXjETMBEGCgmSJomT8ixkARkWA29yZzEYMBYGCgmSJomT8ixk
ARkWCGRvZWdyaWRzMREwDwYDVQQLEwhTZXJ2aWNlczEaMBgGA1UEAxMRbm9uZXN1
Y2guZm5hbC5nb3YwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALg54ROvjJgj
X4jKE0gGMfiT5t8M1EzEphwP0E+SaddkMUY2RzZmoLT84JE/U69fMu3ENh1O79ol
NmugkvZgZUteSu/7FtioEfErPaD+Vpk0sYPVJLZGstGWO8Ib5Ud1/xrCPTqf+0LG
z7T04vrwlKSvhxNLuKRhqpMMcVl/MbbnAgMBAAGgADANBgkqhkiG9w0BAQQFAAOB
gQAF8KiX8SlEQAMUaguXtmOHhHvCEdrQeh0/8dI+bH0TmB+R4PrOCMQ+1AQgeZ2B
qFzLpRxWtwntqhtjbiojVzgBDbIo6kEynykWJ0kraAwnmyVxUw41FuC+KTWO9UWX
1ZG4i4M+c66L97Xwio85bRsEp5TdzYwgcx3TLHTJDMve2A==
-----END CERTIFICATE REQUEST-----
- Now go to the DOEGrids home page and click on the Certificate Service under the Service Links in the left-hard frame on the page. This will take you to the DOEGrids Certificates Services page.
- From there, make sure the Enrollment tab is active, and select "Grid or SSL Server" from the left-hand menu.
- Paste the
copied text (again, from BEGIN CERTIFICATE REQUEST to
END CERTIFICATE REQUEST, inclusive) into the large text entry box labelled PKCS #10 Request. This box displays instructions to
Paste the PKCS #10 request into this text
area.
- Make up and enter a Challenge
Phase password which will be
required for renewing the certificate. You'll need to remember it, so save it in a safe place.
- Enter your name as the server administrator, your e-mail address and phone number in the specified
fields.
- In the Affiliation pull down menu, select FNAL (FNAL is usually correct for FNAL-owned servers).
- In the comments block, please
describe the purpose of the certificate being requested as well as your
Fermilab Division and department or experiment to assist the personnel
who will assess and approve your certificate request.
- Upon submission, your request will be forwarded to the appropriate CA per the affiliation you selected.
- After your request has been accepted and signed by
DOEGrids (it may take a few hours), you will receive an email with a
link to retrieve your newly signed certificate.
- Navigate to the URL given in the email message.
- Scroll down the web page to the 'Installing this certificate in a server' section.
- Separately, create a new text file on your system into
which you will copy your certificate contents. (It will become the pem
file which you will import.)
- Select and copy the contents from the section 'Base 64 encoded certificate' starting with the
-----BEGIN CERTIFICATE----- header and ending with the
-----END CERTIFICATE----- footer. Be sure to include the header and footer.
Example:
- Paste this contents into your new text file.
- Open the key file, e.g., nonesuch.key, in an editor. Select all the text in this file, including the lines BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY.
Example:
- Paste this text into the end of the new text file file
into which you previously pasted the certificate from the DOEGrids
website. The new file should now look similar to this:
Example
- Save this file as <your FQDN hostname>.pem (e.g., nonesuch .fnal.gov.pem). Save it in a secure, non-network-accessible place!
- Depending on your OS and web service, you may need to convert this file before you import it.
|
