How to request a Host Certificate

There are many ways to request a host certificate. I recommend using the GRIX tool below (note different than the grix gui you know and love)

If you can't use that (no java etc.) then use the openssl method.

As a last resort use the globus way, but it comes with a lot more pain. YOU HAVE BEEN WARNED

GRIX

Using OpenSSL from the Command Line

1. openssl req -new -nodes -keyout hostkey.pem -out cert_request.pem

2. Answer the questions

    Country Name (2 letter code) [AU]:AU
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:APACGrid
    Organizational Unit Name (eg, section) []:VPAC
    Common Name (eg, YOUR name) []:nggums.vpac.org
    Email Address []:grid-admin@vpac.org

NOTE:

• State and Locality should be blank
• C has to be AU or NZ
• O has to be APACGrid or BeSTGRID?
• OU should be name of the MARCS, University etc.
• CN should be the FQDN

3. Submit Host Certificate Request

Globus

1. Setup the CA Bundle if the host hasn't got it configured - Hopefully you won't need to do this
2. grid-cert-request -int -dir . -host dummy.fqdn -ca 1e12d831 -prefix FQDN
   • interactive mode will ask for the host name so dummy.fqdn does not need to be changed
   • for more explanation of the command line run grid-cert-request -h
3. The script will output 3 files FQDNcert.pem FQDNcert_request.pem FQDNkey.pem
   • existing files will not be clobberred
   • the prefix can be changed using the -prefix option
   • check the request details with: openssl x509 -text -noout -in FQDNcert_request.pem
4. Submit the FQDNcert_request.pem to the OpenCA web interface for approval.
   • Globus will explain how to send an email, but please DONT - use the above link instead

-- SamMorrison - 17 Mar 2008

• Protect this page:
  • Set ALLOWTOPICCHANGE = DavidBannon, SamMorrison, AndyBotting, DanielCox