Baltic Grid Certification Authority

User Documents

Documents for BGCA users

The information help You to get access to BalticGrid resources. BalticGrid certificates do not automatically grant access to any computing resources. Your permission on remote system is granted by the system owners. Certificates allow to identify remote users and hosts.

Page content


Why do I need a certificate?

If You are not familiar with the certificates, please see X.509 and SSL descriptions. 

Requesting a User Certificate

  1. You need a user account in a secure Linux or *NIX machine with OpenSSL. Login to the machine.
  2. Make sure you do not have .globus directory. If you already have the .globus directory, then move all its contents to a different subdirectory before you start generating new certificate request.

    If you do not have .globus directory, make a new directory for the certificate: 
    mkdir ~/.globus
    3. Go to the directory: 
    cd ~/.globus
  3. Download OpenSSL configuration for Baltic Grid user certificate requests: 
    wget http://ca.balticgrid.org/BalticGridCA-user.cnf
  4. Generate your certificate request. 
    openssl req -new -config BalticGridCA-user.cnf -out usercert_request.pem -sha1
    * Choose a strong password;
    * Do not change both "Domain Component" variables - just press <ENTER>;
    * Enter your institution domain (for example eenet.ee) OR domain with subdomain if one exists (for example hep.kbfi.ee);
    * Enter your name but do not use letters which are not present in PrintableString, e.g. letters with diacritical marks(rfc2218). Replace the letters according to the letter conversions table;
    * You should get two files: usercert_request.pem (CSR - Certificate Signing Request) and userkey.pem (secret key).
  5. Check Subject of certificate request:
    openssl req -in usercert_request.pem -noout -text
    Subject of certificate request should look like this (replace domain.zz and Name Surname):

    Subject: DC=org, DC=balticgrid, OU=domain.zz, CN=Name Surname

    IMPORTANT: keep userkey.pem secret. 
    chmod 400 userkey.pem
    If You suspect Your key has been compromised, please contact CA or RA.
  6. Contact with a Baltic Grid Registration Authority (RA) (choose the nearest RA to Your location). Send the following information to RA via e-mail:
    • Your full name (ID-document)
    • Certificate request file (usercert_request.pem)
    • Occupation at Your institution
    • Phone (work)
    • Phone (mobile)
    • Fax
    If everything is correct, arrange a face-to-face meeting with RA. Following documents are required:
    • ID proof (passport, driver license or equivalent)
    • photocopy of ID proof
    • proof of affiliation with institution
    • photocopy of affiliation proof
    • printed copy of usercert_request.out
  7. If you have Estonian ID-card, then you can sign your usercert_request.pem on your own and send the file and your contact information directly to the CA: ca@ca.balticgrid.org.
  8. Registration Authority will check your ID and send your request to the Baltic Grid CA.

    Approximately in 3 working days You will get a signed certificate. You should copy it to the ~/.globus/usercert.pem file on the machine where You had generated the certificate request.

Requesting a Host (Server) Certificate

You will need a host certificate if You intend to make Your computing resources available on BalticGrid.

The procedure is similar to Requesting a User Certificate. The differences are:

  1. login as root to the host
  2. create a new directory for certificates
  3. Download OpenSSL configuration for Baltic Grid host certificate requests 
    wget http://ca.balticgrid.org/BalticGridCA-host.cnf
  4. Command to create hostcert_request.pem and hostkey.pem (notice -nodes parameter - it tells OpenSSL not to protect hostkey.pem with password): 
    openssl req -new -config BalticGridCA-host.cnf -out host-certrequest.out \
           -sha1 -nodes
  5. chmod 400 private_host_key.pem
    Certificate subject should look like this:

    Subject: DC=org, DC=balticgrid, OU=domain.lt, CN=host/hostname.domain.lt
  6. You can send e-mail to RA or CA, signed with valid Your personal BalticGrid certificate, instead of meeting with RA face-to-face.

    No photocopy of the documents is required.

IMPORTANT: in most cases You need decrypted hostkey.pem for grid middleware. Please set appropriate permissions on hostkey.pem to prevent unauthorized access. If You noticed Your hostkey.pem is encrypted, see hints for description how to decrypt keys.

Renewing User/Host Certificate

  1. You need a user account in a secure Linux or *NIX machine with OpenSSL. Login to the machine.
  2. Create a new directory for new certificate request 
     cd
     mkdir newcert
     cd newcert
  3. Download OpenSSL configuration for Baltic Grid user or host certificate requests.
    user certificate requests configuration:
     wget http://ca.balticgrid.org/BalticGridCA-user.cnf
    host certificates requests configuration: 
     wget http://ca.balticgrid.org/BalticGridCA-host.cnf
  4. Generate a new certificate request with same subject
    user certificate request generation with OpenSSL:
    openssl req -new -config BalticGridCA-user.cnf -out usercert_request.pem -sha1
    5. host certificate request generation with OpenSSL:
    openssl req -new -config BalticGridCA-host.cnf -out host-certrequest.out \
     -sha1 -nodes
  5. Check Subject of certificate request:
    openssl req -in usercert_request.pem -noout -text
    Subject of certificate request should look like this (replace domain.zz and Name Surname):
    Subject: DC=org, DC=balticgrid, OU=domain.zz, CN=Name Surname
    IMPORTANT: keep (user|host)key.pem secret. 
    chmod 400 userkey.pem
    If You suspect Your key has been compromised, please contact CA or RA.

  6. Sign your new request with your user certificate:
     cd
           openssl smime -sign -in newcert/usercert_request.pem -out \
           newcert/usercert_request.smime -signer .globus/usercert.pem \
           -inkey .globus/userkey.pem
  7. Send the file ~/newcert/usercert_request.smime to Baltic Grid CA ca@ca.balticgrid.org

Hints

To show certificate request in plain text:

openssl req -in user-certrequest.out -noout -text

To show certificate in plain text: 

openssl x509 -in $HOME/.globus/usercert.pem -noout -text

To convert certificate from PEM to PKCS12 format (if You wish to import it to Your web browser):

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out $HOME/certificate.p12

To decrypt private keyfile (this step may be required for host keys, because usually there is no one to enter password when services using host keys are starting): 

openssl rsa -in key.pem -out key-decrypted.pem

To encrypt private key or to change private key password: 

openssl rsa -des -in key.pem -out key-encrypted.pem

To sign your new request with your user certificate:

 openssl smime -sign -in newcert/usercert_request.pem -out \
  newcert/usercert_request.smime -signer .globus/usercert.pem \
  -inkey .globus/userkey.pem

More Information

If You have questions or comments related to information presented on this page please feel free to contact ca@ca.balticgrid.org.

© 2006 Baltic Grid CA.

Content managed by the Etomite Content Management System.