FusionGrid: Cert Web interface

Web Interface for obtaining a FusionGrid ID

Both CAs provide a similiar Web interface to request, retrieve and renew certificates. If you want to manage certificates on your local machine and use your Web browser to manage them use the following instructions.

Use a Web browser to get a X.509 identity certificate from the CA:
- Go to http://pki1.doegrids.org to get a credential from the DOE Grids CA
- Go to http://ca.fusiongrid.org:9001 to get a credential from the FusionGrid CA.
Export credential from browser
Reformat credential so that grid-proxy-init can use it.
Use grid-proxy-init to signon to Grid

A detailed description of the whole process can be found at DOE Grids CA How To. A few notes are given below, but please refer to the web page for the actual procedures that you must follow.

Requesting a Certificate

The DOE Grids CA issues user certificates to members of several DOE funded High Energy Physics Grids, as well as the FusionGrid, so it is important to identify yourself as a member of the FusionGrid when requesting a certificate. The request form includes an entry for your organization which should be set to the FusionGrid and for a sponsor. The current FusionGrid sponsors are:

Doug McCune - PPPL
Martin Greenfield - MIT
Dave Schissel - GA
Kate Keahy - Argonne Nat'Lab
Mary Thompson - LBNL (serves as RA for the FusionGrid)

One of these people needs to know who you are and why you are requesting a certificate, in order for the certificate to be issued.

Certificate Issuing Process

You request a certificate by filling out a browser form. In the process of filling in the form, your browser will create two encryption keys, one private which is placed in your browser's key database and one public which is included in a certificate request which is sent to the DOEGrids CA. That server sends mail to all of the DOEGrids Registration Authorities (RA) in a message that includes only the affiliation/VO name that you selected and your email address. Your RA has to recognize it as belonging to her, go to the CA web site to look at the request and see who the sponsor is. The RA sends email to the sponsor to approve the request and once it is approved issues the certificate. You should receive mail from the CA server within 1-2 working days after you make your request.

You then need to go to the URL you received in the same browser from which you made your request. Only that browser has your private key, and a browser will not accept a certificate for which it does not have the private key.

The browsers use JavaScript (Netscape) or activeX (IE) both when requesting and accepting certificates, so they must be enabled. Netscape 4.7x and 7.x on both Unix and Windows machines normally work, as will IE 1.5 and 1.6. However, in the case of IE both your Windows system and Explorer need to have the current patches installed. Mozilla and Opera have also been used successfully.

If you have problems or are not getting a response within 2 days, please send queries to your RA, Mary Thompson

You can get rid of the warnings or errors about trusted certificates in your web browser by importing the DOEGrids CA certificate. Go to http://pki1.doegrids.org -> retrieval tab -> Import CA Certificate chain (in menu), use the preselected option Import CA certificate chain into your browser.

Exporting your Credential from the Broswer

Your X.509 credential consists of two pieces: a private key which should be closely guarded and an X.509 certificate that contains your distinguished name and your public key. This certificate needs to be available to all the FusionGrid sites that you plan to access. Both Mozilla and IE browsers allow you to export the two pieces in a single pkcs12 file. Since this file contains the private key, it should be protected by passphrase.

Reformating the Credential

The Globus grid-proxy-init program wants the credential stored in two files: one containing the private key in an encrypted pkcs8 format, read-only by owner, file; the other containing the X509 certificate as a base64 DER encoded file. The Globus client-side software provides the openssl tool that is used to convert and view various PKI formats. You should end up with two files in your $HOME/.globus directory:

userkey.pem (encrypted private key, read-only by owner)
usercert.pem - X.509 certificate

To extract the key from a pkcs12 file use:


    
    openssl pkcs12 -in file.p12 -nocerts -out $HOME/.globus/userkey.pem

    
chmod 400 $HOME/.globus/userkey.pem

To extract the certificate from a pkcs12 file use:


    
    openssl pkcs12 -in file.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem

Renewing your certificate

Due to the policy contstaints of the DOEGrids CA certificates are only valid for one year. Certificates from the FusionGrid CA are valid for two years. There are two ways to renew a certificate: using the renewal tab which gives you a certifcate with the same keypair, but that is not valid until the current one expires; or the replacement certificate menu item which gives a certificate with a new keypair that is valid immediately. Both certificates are issued automatically as long as you have the current credentential in your browser, and have the identical distinguised name, so that no gridmap modifications are reqiured in order to use it. As when you requested a certificate go to:

https://pki1.doegrids.org to renew a credential from the DOE Grids CA
https://ca.fusiongrid.org:9002 to renew a credential from the FusionGrid CA.

Home | The National Fusion Collaboratory Project

Last modified Wednesday, 27-Jun-2007 10:23:21 PDT Comments?