Personal tools
You are here: Home Documentation Getting a Host Certificate from the UNL CA
Navigation
Log in


Forgot your password?
New user?
 
Document Actions

Getting a Host Certificate from the UNL CA

by admin last modified 2007-02-06 12:54

This short tutorial covers the process of requesting and installing a host certificate from the UNL CA. This page is OBSOLETE.


This page is obsolete.  Please do not use it.

Please use this link instead.

If you are installing a server that will be providing some sort of authenticated services, a user certificate will not be enough.  The server itself will need what is known as a host certificate.

The host certificate can be generated from simple OSG tools, but some changes must be made in order to request one from the UNL Certificate Authority.  First, download the tarball that contains our CA's public certificates and unpack it in your home directory:
wget http://t2.unl.edu/cms/grid_user/UNL-CA-bundle.tgz
tar zxf UNL-CA-bundle.tgz
Next, you must copy the contents of the tarball into your trusted CA directory.  You will need to be root in order to do this.  For current versions of the OSG stack, this is:
cp UNL-CA-bundle/* $VDT_LOCATION/globus/TRUSTED_CA
cp UNL-CA-bundle/* /etc/grid-security/certificates
The second command may have an error if /etc/grid-security/certificates does not exist or is symlinked.  Ignore it. 
Now, you need to request the certificate:
grid-cert-request -host $HOSTNAME -ca 808d3de6
Replace $HOSTNAME with an appropriate hostname, if you are not logged into the computer that will be using the certificate.  The certificate request will be generated, and result in three files.  There is the private key, an empty certificate file, and the certificate request.

Look in the certificate request file, and copy the part between and including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines.  Paste it into a new text file on your local computer.  Open up a browser window, and navigate to https://ca.unl.edu/gpn.  As when you requested the user certificate, click on the "User" tab, then the "Request a Certificate" tab.  This time, however, use the "Server Request" option.  Fill out your information, upload the file you just created on your local computer, and make sure you select the "Web Server" role.  Hit "Ok", and inform the CA operator that you have a certificate to approve (for now, just email Brian Bockelman).

Once your certificate is approved, you will be able to use the CA website to download your new server certificate.  This is done in a similar manner to retrieving a user certificate.  Copy/Paste the contents of your new certificate into the empty certificate file on your server (usually called hostcert.pem).

If you have both a valid key (hostkey.pem) and certificate (hostcert.pem), then you are ready to finish setting up and installing the OSG.
Powered by Plone, the Open Source Content Management System