guide:Certificates/server/DFN

Grid Registration Authority

To apply for a DFN Grid server certificate, you must contact the relevant DFN Grid Registration Authority (grid-RA) for your institution. The following grid Registration Authorities of the core D-Grid partners accept server certificate requests:

• Forschungszentrum Jülich, FZJ/ZAM
• Forschungszentrum Karlsruhe, FZK/IWR
• Leibniz Rechenzentrum München, LRZ
• Max-Planck-Gesellschaft, MPG
• RWTH Aachen, RWTH/RZ
• Paderborn Center for Parallel Computing, PC2
• TU Dresden, TUD/ZIH

Other DFN grid-RAs can be found here.

Certificate Signing Request

Generally you have to produce a so-called Certificate Signing Request (CSR), then involved via a Web interface with the DFN in the certificate request.

Under Unix/Linux, the private key of the certificate and the Request (CSR) can be generated with openssl. The minimum length of keys is 1024 bytes, recommended length id 2048 bytes.

Alternatively, the request can be produced from the grid middleware (UNICORE, Globus, gLite, etc.).

In any case, in this process the following details (if necessary [optional]), from which the unique name of the certificate-Subjects is formed.

• C=DE
• O=GridGermany
• OU=(Institutes name)
• [OU=(Organizational unit)]
• CN=(fully qualified name of the server)
• EMail=(Mail-address of administrators)

Note

• small/capital symbols are important
• the font which is used can be found in the CPS (section 3.1.4), especially umlauts and ß may not be used.
• in some applications, it can not prevent further attributes in the subject (in particular L for location and St for State). In such cases, the subject before the CSR transfer for correction to the CA registration body.

openssl

Creating the private key and the Certificate Signing Requests (CSR) for servers with openssl which printed in the following sequence the ssl fields. To ensure that the other fields left blank, then use a point entered by openssl. The entered password (PEM pass phrase) serves to protect your keys and must not be lost. For the common name the full computer name must be entered for a server-CSR creation. The following e-mail address must be the system administrator address.

 (your prompt)% openssl req -newkey rsa:2048 -keyout (server_name)_private_key.pem \
                     -out (server_name)_CSR.pem
 Generating a 2048 bit RSA private key
 ...............................................................................+++
 .....................................+++
 writing new private key to '(server_name)_private_key.pem'
 Enter PEM pass phrase:********
 Verifying - Enter PEM pass phrase:********
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank. 
 -----
 Country Name (2 letter code) [AU]:DE
 State or Province Name (full name) [Some-State]:.
 Locality Name (eg, city) []:.
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:GridGermany
 Organizational Unit Name (eg, section) []:(Institute name)
 Common Name (eg, YOUR name) []:(fully qualified Name of Servers)
 Email Address []:(E-Mail-address of administrators)
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:.
 An optional company name []:.

The implementation of the openssl command creates two files:

• (server_name)_private_key.pem

contains the private key. This file is entered through the password-protected and must be kept safely. In particular, nobody but the administrator access to the private key.

• (server_name)_CSR.pem

contains the Certificate Signing Request, to control its content can be listed with the command

openssl req -noout -text -in (server_name)_CSR.pem

Then you must on the Web pages of your Grid Registration Authority (for example, for links to the core RA-D-Grid partners) setup the link to the Web interface for Grid server certificates in your RA DFN-CERT Services. For each grid Registration Authority, there are DFN-CERT Services for the Grid RA a custom Web interface for Grid server certificates, so ensuring that only Certificate Signing Requests entries with the correct name of country, Organization Name and Organizational Unit Name.

The Certificate Signing request is followed by your registry, after examining your data and your identity in DFN-CERT Services will be transmitted, where the certificate is produced. The content of the requests can be used to control by the command.

In this Web interface you must click to Beantragen eines Zertifikats and then to apply for Zertifikatantrag für Server. Under PKCS#10 certificate application (PEM formatted file) you must use the Certificate Signing Requests (File (server_name)_CSR.pem) format.

Important notes

It is important that you use here the certificate profile of LDAP server. This certificate profile have X509 extension Extended Key Usage attribute "TLS LDAP Authentication" and "TLS LDAP client authentication". This is used by some Grid middleware components, which are acting in the same time as a server and as a client (e.g. the NJS of UNICORE the case).

Then you need get the names and e-mail, certification policy and agree to the publication of the certificate. Furthermore you must use a PIN to Authorization in the certification system. This PIN will e.g. required if you want to lock your certificate. Please note the PIN. The PIN should be the password used by the private key protection!

Then you have to print out and fill the "Teilnehmererklärung" declaration and together with the ID card/passport send to your Registration Authority.

If all conditions are met, your RA certification initiate your public key. The certificate (the Public Key) you get about one working day by e-mail as a file like cert-(serial_number).pem

The content of the certificate can be viewed using the following openssl command:

openssl x509 -noout -text -in cert-(serial_number).pem

The private Key (server_name)_private_key.pem of your certificate have been protected with a password (see above). For the grid middleware operation on a server it may be useful to use a private key, which is not password-protected, so that the password must not be entred again when restarting the different grid middleware services.

You can get an unprotected private key with the following command:

cp -a (server_name)_private_key.pem (server_name)_private_key.pem.orig
openssl rsa -in (server_name)_private_key.pem.orig -out (server_name)_private_key.pem

For the UNICORE NJS installation a keystore in PKCS12 format, which store together the grid server certificates (Public Key) and the private key of the grid-server certificate,is required.

You can generate the keystore from the host certificate public and private key using the following command:

openssl pkcs12 -export -in cert-(serial_number).pem -inkey (server_name)_private_key.pem -out (server_name)_keystore.p12

Then, choose a password to protect the new keystore, that you will use later in the configuration of the UNICORE NJS.

See Also

• DFN Grid server certificate