GridLab Temporary CA

We have created temporary GridLab Certification Authority to

• provide certificates for people that are participating in GridLab project and are unable to get certificate from DataGrid or Alliance CA in their country (either because CA doesn't exist or it's not authorized to give them certificates)
• provide host and service certificates for machines participating in GridLab testbed

CA will be valid till end of year 2002 and till that time we have to sort out permanent solution for this problem.

How to obtain certificate

• Use this shell script to generate request for personal certificate or this shell scritp for host certificate. You must have environment variable GLOBUS_LOCATION set.
• When you run that script you have to provide complete name (will be in CN) and then e-mail address (because of extensions and mailing signed certificate back). Complete name for people normal full name and for hosts it is host/FQDN (Fully Qualified Domain Name).

How to sign the request - for Registration Authority

But to give you a certificate, we need to know that the request for it comes really from a person which is allowed to receive a certificate. So you request must be signed by somebody who already has a certificate. Send your request file userreq.pem to somebody who can confirm that it is your request. That person is called RA (Registration Authority) and must sign it by:

openssl smime -sign -in clientreq.pem -out clientreq.pem.sgn -signer usercert.pem -inkey userkey.pem

where

• user{cert,key} is certificate and key of RA,
• clientreq.pem is request to be signed, i.e. your userreq.pem
• clientreq.pem.sgn is the request together with RA signature.

Send the signed request (clientreq.pem.sgn) to ca@gridlab.org.

Other administrative stuff

• List of RAs
• CA certificate and CA signing policy
• Contact person: Mirek Ruda