Obtaining a grid certificate
The first step in aquiring a certificate is to create a certificate request. This is done using the grid-cert-request -int command. (The -int options means interactive usage). When issued, the tool will generate a certificate request and a private key. The tool will also ask for a password to protect the private key. Note, if the password is lost a new certificate must be obtained. The process is shown below:
First the private key is generated:
[user@host]$ grid-cert-request -int A certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. Using configuration from /etc/grid-security/globus-user-ssl.conf Generating a 1024 bit RSA private key .....................................++++++ ....................++++++ writing new private key to '/home/user/.globus/userkey.pem'
To protect the private key from unauthorized access it is encrypted using a pass phrase. If this pass phrase is empty, anyone with access to your private key and certificate can gain access to the resources you have been granted. The pass phrase should also be different from your normal login password, so if
your local system has been compromised the private key is still protected.
Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:
Next, you have to provide information about yourself so that you can receive a Distinguished Name or a DN. This is your unique identifier on the grid. The first two questions regards the organization to which you will belong, in this case the main organisation is Grid and the secondary is NorduGrid.
----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Level 0 Organization Name (do not modify) [Grid]: Level 1 Organization Name (do not modify) [NorduGrid]:
The following questions regards your affiliation domain and your email. It is important that your domain and the domain in the email address is the same.
Your Domain [example.org]:mydomain.org Name (e.g., Hans Christian Andersen) []:Joe User Email address (e.g., h.c.andersen@example.org) []:joe.user@mydomain.org
Finally the private key and a certificate request are generated.
A private key and a certificate request has been generated with the subject: /O=Grid/O=NorduGrid/OU=mydomain.org/CN=Joe User/Email=joe.user@mydomain.org If the CN=Joe User/Email=joe.user@mydomain.org is not appropriate, rerun this script with the -force -cn "Common Name" options. Your private key is stored in /home/joe/.globus/userkey.pem Your request is stored in /home/joe/.globus/usercert_request.pem Please e-mail the request to the NorduGrid Certification Authority ca@nbi.dk You may use a command similar to the following: cat /home/jonas/.globus/usercert_request.pem | mail ca@nbi.dk Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact NorduGrid Certification Authority at ca@nordugrid.org
The certificate request file, usercert_request.pem, should be mailed to you local registration authority (RA). For SweGrid this is:
- National Supercomputer Centre in Sweden (NSC)
Contact: nixon@nsc.liu.se - Center for Parallel Computers (PDC)
Contact: ngca-ra@pdc.kth.se - High Performance Computing Center North (HPC2N)
Contact: Ake.Sandgren@hpc2n.se - Chalmers
Contact: Thomas.Svedberg@me.chalmers.se - Lunarc
Contact: jonas.lindemann@byggmek.lth.se
Send the request to the center that is closes to you.
Installing Certificate
The grid-cert-request -int command generates two files userkey.pem and usercert_request.pem in a subdirectory called .globus in the home directory. The userkey.pem is your private key and should not be world readable. This can be achieved by the following commands:
[user@host]$ cd ~/.globus [user@host .globus]$ chmod 400 userkey.pem
The certificate authority will mail a signed certificate to you. The important parts are indicated as shown below:
-----BEGIN CERTIFICATE----- xasdj ... -----END CERTIFICATE-----
Copy the part shown above including the marked into the file usercert.pem i the .globus directory located in your home directory.
The 1st Regular PRACE call has been published
