CyGrid - How to request a certificate
From EGEE-see WIki
Contents |
What is a Digital Certificate?
A digital certificate is your electronic identity to access the Grid. It is used in every authentication and authorization procedure and also ensures the confidentiality and integrity of your data that travel on the net while you are working in the Grid. Digital Certificates are issued by accredited Certification Authorities (CAs). There exists a CA in every country.
Important! Please keep in mind the Digital Certificate is strictly personal. Do not share your certificate or your private keys. Also don't give away your certificate password. If one of your colleagues or another member of your research team needs to access the Grid he/she should apply for his/her own certificate. Failure to comply with the above is considered a violation of the policies under which your certificate was issued and may lead to the certificate revocation by the issuing CA. In simple words this means that you will be banned from the EGEE infrastructure (at least until a new Certificate is issued to you).
Private key generation
The Cyprus Grid Certification Authority (CyGridCA) is the top-level certification authority for Grids in Cyprus. It provides X.509 certificates for identification and authentication purposes related to Grid activities in Cyprus. The CyGridCA was established within the EU project CrossGrid, and was later extended to cover the latest EU project EGEE. To obtain a certificate, the requester must be involved in CyGrid activities.
Generate your private key file using the following openssl command on any Linux box:
openssl genrsa -des3 -out <username>.key 1024
You will be asked to give a password (PEM pass phrase) that will protect your private key. Choose a strong password, at least 15 characters long, containing numbers, small and capital letters, and special characters. This can be a phrase you easily remember, but it must be nearly impossible for someone else to guess, even if they know you well.
Certification Request Generation
After the private key generation, you are ready to create a certification request file, in order for the CyGrid Certification Authority to issue your credentials for Grid access.
As a first step, download the file ra-hpcl.cnf (right-click on the link and choose 'save as') and place it into the same directory as your private key file. In the directory you saved the configuration file, run the following command:
openssl req -new -key <username>.key -out <username>.csr -config ra-hpcl.cnf
Registration
The next step would be for you to bring the certification request file on a floppy, CD-ROM or USB stick, with the completed application form, your Cypriot ID card (or passport if you are a non-Cypriot civilian), and a photocopy of your ID card, to HPCL (University Campus, building FST-01, office 217), in order to initiate the registration process. Checklist for registration:
1.The completed and signed application form.
2.Certification request file (on floppy/CD-ROM/USB stick).
3.Your Cypriot identification card, or passport, or Cypriot driver's license.
4.Photocopy of your ID card (both sides), or passport, or Cypriot driver's license.
5.Two passport-type photos (optional).
When the RA manager validates the documents, he e-mails the certification request file to the Certification Authority (CyGridCA). The e-mail must be signed by a digital certificate that is recognized by the CA. The RA also sends a copy of the signed user application form, one of the passport photos, and photocopies of the ID/passport, by registered mail, or delivers in person. Then the CA manager verifies the RA e-mail signature, and generates the user certificate according to the effective Certification Policy Statement guidelines. The CA manager sends the generated certificate to the RA with a signed e-mail, and verifies. The RA creates an account on the User Interface (UI) by following the instructions for new user account setup. Note that itʼs up to the user to control his/her private key file. Finally RA informs the user that his/her account at the User Interface is ready. At this account the user can find installed its digital certificate.
