Forgot your password?
New user?
Document Actions
Getting a Host Certificate from the DOEgrids CA
This short tutorial covers the process of requesting and installing a host certificate from the DOEgrids CA.
If you are installing a server that will be providing some sort of
authenticated services, a user certificate will not be enough.
The server itself will need what is known as a host certificate.
The host certificate can be generated from simple OSG tools. First, set up the OSG environment:
Look in the certificate request file, and copy the part between the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines. Navigate to https://pki1.doegrids.org. Click on the "Grid or SSL Server" link on the right hand side. You will need to paste the certificate request in the correct box. Make sure that the Affiliation is OSG and the VO Name is GPN (or CMS, for CMS users, or whatever your appropriate VO may be).
You will need to send an email to Brian Bockelman encrypted with your DOEgrids user certificate confirming your request number.
Once your certificate is approved, you will be able to use the CA website to download your new server certificate. This is done in a similar manner to retrieving a user certificate. Copy/Paste the contents of your new certificate into the empty certificate file, hostcert.pem, on your server
To install your host certificate, simply copy the files hostcert.pem and hostkey.pem into /etc/grid-security. Globus is restrictive about permissions on the certificates. I usually do the following:
The host certificate can be generated from simple OSG tools. First, set up the OSG environment:
source /path/to/OSG/setup.shThen, use grid-cert-request to generate a certificate request.
grid-cert-request -host $HOSTNAME -dir $HOME/certificatesBy default, this should use the DOEgrids CA. Replace $HOSTNAME with an appropriate hostname, if you are not logged into the computer that will be using the certificate. ThThe certificate request will be generated, and result in three files:
- hostcert.pem. Should be empty right now.
- hostcert_request.pem. You will send this to the DOEgrids CA.
- hostkey.pem. Your private key. DO NOT LOSE THIS. Please let the GPN security contact know if you believe your private key has been compromised.
Look in the certificate request file, and copy the part between the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines. Navigate to https://pki1.doegrids.org. Click on the "Grid or SSL Server" link on the right hand side. You will need to paste the certificate request in the correct box. Make sure that the Affiliation is OSG and the VO Name is GPN (or CMS, for CMS users, or whatever your appropriate VO may be).
You will need to send an email to Brian Bockelman encrypted with your DOEgrids user certificate confirming your request number.
Once your certificate is approved, you will be able to use the CA website to download your new server certificate. This is done in a similar manner to retrieving a user certificate. Copy/Paste the contents of your new certificate into the empty certificate file, hostcert.pem, on your server
To install your host certificate, simply copy the files hostcert.pem and hostkey.pem into /etc/grid-security. Globus is restrictive about permissions on the certificates. I usually do the following:
chown root:root /etc/grid-security/host*
chmod go-rw /etc/grid-security/hostkey.pem
chmod go-w /etc/grid-security/hostcert.pem