-- DavidBannon - 20 Jan 2006

How To Request a Certificate

Migrated to new twiki 4/12/2007, DRB

Introduction: A word from the Certificate Authority Manager

The APAC-GRID Certificate Authority is a carefully managed and highly secured system. While your Public Certificate is supposed to be publicly available to anyone, it's very important that you keep your Private Key file safe and secure. A large part of the security of Public Key Infrastructure relies on knowing what can and can't be trusted, so if you think your private key has been lost, stolen or copied by anyone else, you need to inform us quickly, so that we can revoke your old certificate and grant you a new one. Any time that someone else has your private key, they have complete access to your account on the grid. Email camanager@vpac.org if you believe your private key may have been compromised.

Overview

A certificate request is a small file that contains a collection of parameters and an encoded block of data that is derived from your private key. It's usual (but not necessary) for grid users to generate a new private key when creating a new certificate request. It's important that the new private key be kept safely after its generated. Similarly, its important that the pass phrase you associate with your private key be kept safe, the whole security system is at risk if you allow anyone else access to these two items.

On the other hand, your certificate request and the certificate itself can be provided to others, only you can use them because only you know the pass phrase necessary to 'unlock' them.

Generate a personal certificate request

All these methods have security implications, please make sure you understand them, if not, please ask !

There are a number of methods that you can use to generate your certificate request. The one you use is your choice but will probably be determined by the facilities available to you.

• Use the GUI tool GRIX following these instructions

• Generate the request on a Globus equipped machine If you have a logon account on an APAC Partner machine, its likely that a machine is available to you that has globus installed and is setup to make the request generation easy. Follow these instructions. This method has the disadvantage that the necessary files are generated on a remote machine and you will need to move them back to your desktop.

• Generate the request on a machine with openssl installed Just a little harder, suits anyone who uses linux (or another Unix) on their desktop. The same approach is probably suited to a windows box that already has openssl installed. You need to down load a specifically modified openssl.cnf file and run a specific command, its all documented here.

• Grab all the necessary files in a bundle suited for use with Windows This method will suit windows users, it involves downloading a couple of files into your windows box, one is an executable that must be, well, executed or 'run'. Follow these instructions.

Generate a host certificate request

• Host certificates are generated in a similar manner to the above but there are some particular differences. Here we have one suggested method.

When you have generated a Certificate Request, and, if necessary moved it and the private key to your own computer, you can proceed to step 2, Submit a Certificate Request to the CA.

Migrated to new twiki 4/12/2007, DRB