Difference between revisions of "Certificates"

From SNIC Documentation
Jump to: navigation, search
(Import from the SNIC Plone page)
Line 1: Line 1:

Revision as of 13:37, 17 June 2011



In order to get access to computel and storage resources on the grid, you must have a valid grid client certificate. This certificate is used instead of a regular password as the authentication mechanism when accessing the resource. There is no need for a special account/username, everything is resolved through the unique certificate id.


  • The grid certificate consists of 2 files located at ~/.globus at the host(s) from where you will be accessing resources:
     usercert.pem -- grid certificate
     userkey.pem -- the private key, be careful with this file.
  • The certificate is personal and only bound to you as a person (it consists of a name, organisation and an e-mail address). It is not bound to a specific machine or a user name.
  • The certificate is valid for 1 year only, after that it must be renewed again.
  • The private key is encrypted using a password of your choice. Anyone that can decrypt this private key will be able to authenticate as you wherever this grid certificate is used as authentication (the public key, on the other hand, is public, and may be readable by others).
  • The private key should therefore be handled with great care. On every machine that it exists it must only be readable by you (i.e. ``chmod 400 userkey.pem). Any transferring of the private key between computers must only be done using encryption (such as scp, sftp, rsync over ssh, etc.).
  • You must choose a strong password for the private key. This password must not be used anywhere else and should not be easily cracked. You must never ever give away the password to somebody else.

For more information regarding certificates and public key cryptography:

http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public_key_certificate

Getting a certificate

For details: http://ca.nordugrid.org

For many details: http://www.nordugrid.org/documents/certificate_howto.html

Another description: http://www.nsc.liu.se/systems/storage.html#Getting%20a%20Grid%20Certificate

Cheat Sheet

Create a certificate request together with a private key by executing the following in the terminal on the machine you have logged in to:

grid-cert-request -interactive
  1. Come up with a strong pass phrase that is used to encrypt the private key (write it down and keep it at a secure place, e.g. your wallet).
  2. Press the ENTER key when asked about the questions about "Level 0 Organization Name" and "Level 1 Organization Name" (i.e. they should be left unaltered as "Grid" and "Nordugrid").
  3. The domain is the part of your department's e-mail address after '@': MISU users should write the following as "Your Domain": misu.su.se and SMHI users should write the following as "Your Domain": smhi.se
  4. Fill in your name. WARNING: only ASCII characters are valid, for example 'å','ä' and 'ö' are not valid and should be replaced with their ASCII-equivalents.
  5. Fill in your e-mail address used at work.

When finished, something like the following should be displayed:

A private key and a certificate request has been generated with the subject:
/O=Grid/O=NorduGrid/OU=nsc.liu.se/CN=Jens Larsson/Email=jens@nsc.liu.se

Send it to the local Registration Authority (RA) if any or directly to the Nordugrid CA at ca@nordugrid.org

Getting a certificate without grid-cert-request

If you don't have the grid tools available for creating the CSR, you can use OpenSSL directly. Modify OU and CN as necessary.

openssl req -new -newkey rsa:2048 \
   -out usercert_request.pem -keyout userkey.pem \
   -subj "/O=Grid/O=NorduGrid/OU=nsc.liu.se/CN=Kalle Kula/emailAddress=kalle@nsc.liu.se"