-- DavidBannon - 02 Mar 2006

How to request an APAC Grid Host Certificate.

A certificate request can be generated using the GUICertTool. The RA may need to change the request from User to Host (Web Server) and remove the email address from Subject and Subject alternative name.

The following is a method for gaining an APAC Grid Host Certificate using the command line tool "grid-cert-request". It is most suitable for use on a globus equipped machine. It does not have to be run on the machine the certificate will be used for but could be if that machine has been appropriately setup. Other APAC Grid machines that are setup to generate user certificates will also generate suitable host certificate requests. You will probably vary these instructions a little depending on where you are generating the request.

How to check if your facility has "grid-cert-request" installed.

• ssh/putty into your command line log in account.

• Check whether grid-cert-request is installed by typing " grid-cert-request -help ". If you get and error like "command not found" then either of the following points may have caused it:
  • The machine doesn't have Globus installed appropriately.
  • grid-cert-request is not in your path.

Step by step process.

• ssh/putty into your command line log in account.
• If you are working on the machine where the certificate will be used
  • become root so you can write into /etc/grid-security/.
  • enter the command : grid-cert-request -host myhost.mydomain -int -ca 1e12d831

• If you are working on a machine other than the one that will use the certificate, ie. a general purpose globus machine such as the ones setup to generate user certificate requests.
  • create and go to a temorary directory to hold your host cert request files, eg mkdir /tmp/mynewhostcertrequest && cd /tmp/mynewhostcertrequest
  • Enter the command grid-cert-request -host myhost.mydomain -int -ca 1e12d831 -prefix APACGridHost -dir .

• If you get an error saying "Cannot find a CA with hash 1e12d831" then it would indicate the machine is not setup for the APAC Grid. Please install the latest "APACGrid Certificate Authority Bundle" Instructions Here for their installation of "grid-cert-request" to be used to apply for an "APAC Grid Certificate".
• If your certificate request command is successful then you should be presented with an option to:
  • Select the default country of AU by pressing enter.
  • Select the default organisation of APACGrid by pressing enter.
  • Now enter your organisation which may already be correct if the CA Bundle was setup correctly. A list of valid organisations can be found at RaoList and must be entered 'exactly' as it is spelt there.
  • Enter the machine's name you wish to generate a Host certificate for eg. myhost.mydomain again.

• If you are not working on the machine that will ultimately use the certificate, use scp to copy the file and ensure permissions are preserved.
• You now need to copy your hostcert_request.pem file to a machine where you have access to a web browser so it can be submitted to the certificate authority. Note that some of the instructions in the following steps (such as generating a p12 file and putting it in your browser) do not apply to host certificates. But if you have followed us to here, you don't need to be told that. The certificate and key need to end up in /etc/grid-serurity and with the permissions that they were initially created with.

When you have generated a Certificate Request and moved it to your own computer, you can proceed to step 2, Submit a Certificate Request to the CA.