08/03/2006
Registration Authority  
Applications   Software   Lab Operations   Outreach   Facilities  
 
 
 
iVDGL RA
 Overview
 Certificate Request
 
Personal Certs
 Request a Personal
  Certificate
 Retrieve a Personal
  Certificate
 Using a Personal
  Certificate
 
Host/Service Certs
 Request/Retrieve
  a Host Certificate
 Using a Host Certificate
 
Revoking Certs
 Revoke a Certificate
 
Browser Export
 Export from Netscape
 Export from IE
 
Resources
 FAQ
 Setting Up Secure
  Digitally Signed EMail
  (S/MIME)
 Support
 DOEGrids CA
 DOEGrids
  Certificate Policy
 Sponser Notes
 Sponser List
 
Requesting a Host/Service Certificate

NOTE: If you have not requested to be added to the GridAdmin privileged list, please send mail to the iVDGL RA requesting addition to this list. You will not be able to retrieve your Host/Service Certification without being added.

  1. Read and agree to the Subscriber Obligations specified insection 2.1.2 of the DOEGrids Certificate Policy and Certificate Practice Statement (CP/CPS).

    The CP/CPS is a PDF document you can find here.

  2. Obtain a valid personal certificate from the DOEGrids CA.

    Administrators must first obtain a valid personal certificate from the DOEGrids CA before submitting a request for a host or service certificate. To request a personal certificate see the links on the left.

  3. Configure your Globus installation if necessary

    The subject of host/service certificates issued by the DOEGrids CA must take a particular form. Specifically a host certificate must be of the form

    /DC=org/DC=doegrids/OU=Services/CN=FQDN

    or

    /DC=org/DC=doegrids/OU=Services/CN=host/FQDN
    where FQDN is the fully qualified domain name of the host. Here is an example: 
     /DC=org/DC=doegrids/OU=Services/CN=host/basil.phys.uwm.edu

    The subject of a service certificate must be of the form 

     /DC=org/DC=doegrids/OU=Services/CN=SERVICE/FQDN
    where SERVICE is the name of the service. Here is an example 
     /DC=org/DC=doegrids/OU=Services/CN=ldap/basil.phys.uwm.edu

    If you have installed from the VDT this will be set up with installation.

    Otherwise the easiest way to generate host or service certificate requests with the proper form for the subject field is to download and install a set of auxiliary files provided by the DOEGrids CA.

    Please follow these instructions as user root to download theauxiliary files (if you do not wish to configure yourGlobus installation as user root refer to the Globus web pages for assistance):

    • Make sure the GLOBUS_LOCATION environmentvariable is properly set.
    • Download the file doegrids.tar and place it in the directory /etc/grid-security
    • Change directories to /etc/grid-security and untar the file:
       cd /etc/grid-security tar -xf doegrids.tar

    If you do not choose to download and install the auxiliary files you may overide your installation defaults during the actual certificate request generation using grid-cert-request. Please refer to the Globus web pages for assistance.

  4. Generate a certificate request for your host or service.

    Most administrators will want to follow these instructions as user root.

    • Make sure the GLOBUS_LOCATION environment variable is properly set.
    • In what follows substitute the fully-qualified domain name of your host for FQDN.
    • For a host certificate run the following in your shell:
       /etc/grid-security/doegrids/doegrids-cert-request -host FQDN
    • For a service sertificate run the following in your shell and substitute the name of your service for SERVICE: 
       /etc/grid-security/doegrids/doegrids-cert-request -host FQDN  -service SERVICE
    • Verify that the subject name of the certificate request, which is output to your terminal, has the proper form as detailed above.

    At this point you have generated a certificate request. For a host certificate the request is contained in the file

    /etc/grid-security/hostcert_request.pem
    For a service certificate the request is contained in the file
    /etc/grid-security/SERVICE/SERVICEcert_request.pem
    where SERVICE is the name of your service.

    To see the certificate request use cat to view the file. The end of the file should look similar to this:

    -----BEGIN CERTIFICATE REQUEST-----
    MIIBkTCB+wIBADBSMRswGQYDVQQKExJkb2VzY2llbmNlZ3JpZC5vcmcxETAPBgNV
    BAsTCFNlcnZpY2VzMSAwHgYDVQQDExdob3N0L2Jhc2lsLnBoeXMudXdtLmVkdTCB
    nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA08yU+hyK1laSRV5MjnQcNSdPUMjN
    CLkjSxKF8stAU8LFHgxlFxEO0r6fPo4FvJ7BI1WsgyUORxXir1OaDgdRS6/VsXLT
    PO9YvWRqYozxVR5XRXWgZGMh8mMptLqq0VyKrk6CyGd6oVsJM7uej7YaaExLbd3Z
    ap18WqXaXT1A1hECAwEAAaAAMA0GCSqGiIb3DQEBBAUAA4GBAHcoqSJFkiNSuBAL
    xkksLzB7gXC4dxMPy31ZBDGoBt7Icd9ywz9IVjRilV4KAnP5rYq9FH8I8CHNNf1T
    7We3YyGyFe8gCz2D8zr3BqlJXeyiPHrZ7JMe+zh9seBgY70743fOe5U67xuUsiBi
    nq8E+z4NdBra9ihZhkTVXXVofKkW
    -----END CERTIFICATE REQUEST-----

    The request still needs to be sent to the DOEGrids CA.

  5. Click here to use GridAdmin to submit your Certificate to the DOEGrids CA

    NOTE: Your web browser will need to be loaded with your PKS12 (.p12) certificate file.

    1. Click on GridAdmin Interface in the left panel.

    2. Paste your SSL/Grid Server Certificate request in the text box labeled PKS10 Request

    3. Enter your email address

    4. Select your Virtual Organization

    5. Click Submit

    6. You will be asked to provide your DOEGrids CA Certificate, apon sucessful authenticate you will be provided your Host/Service certificate.

    7. You can ignore or cancel any pop ups

    8. Your certificate will be displayed below the Enrollment Success message.
Supported by the National Science Foundation comments? contact webmaster