This site requires JavaScript to be enabled
45 views

How to get an OSG PKI Certificate for Fermilab Hosts or Services (Grid and Web)

Introduction

Getting a host/service certificate involves using OpenSSL to generate a certificate request and a private key which you then provide to OSG PKI via its website to generate a certificate. If the certificate is for a service, you will need to import the certificate into your service application and configure it; these steps are application dependent. If it is for a host, instructions are provided in the OSG CE Install Guide (especially How to get host and service certificates) and at Fermilab in How to get your website to run SSL.

Get Certificates for Grid Host/Services using Globus Toolkit (Linux)

Instructions for users of FermiGrid are available at the FermiGrid website.

Instructions for users of Open Science Grid are available in the OSG CE Install Guide.  These instructions assume that the OSG CE package (based on the Virtual Data Toolkit, VDT) is installed on your machine. The only required package for getting host/service certificates, however, is the Globus Toolkit, which is packaged with VDT.

See the Fermilab Grid Access Control Policy.

 

Get Certificates for Web Host/Services via the Command Line (Linux)

The OSG provides a package of command line utilities for Linux to simplify requesting host/service certificates.  Documentation on these utilities and links to download the RPMs to install the packages can be found at OSG Command Line Clients.  As with all the OSG TWiki sites, you do not need a certificate to access the documentation. But if you have one or more certificates installed in your browser you will get a certificate selection pop-up window.  You can safely Cancel this request and proceed to read the documentation.

 

Get Certificates for Web Host/Services (UNIX/Linux and Windows) via the Web

In order to request a web host certificate from the OSG PKI CA, a certificate request must be generated using a recent version of OpenSSL. Versions 0.9.7a and later of OpenSSL are known to work successfully with OSG PKI. 

OpenSSL is already available in Fermi Linux. In Linux, the OpenSSL version can be checked with the command:

openssl version

If OpenSSL is not installed on your system, use "yum install openssl" to install it.

For Microsoft Windows, a command-line version of OpenSSL is available in any of the following ways:

  1. As part of Cygwin, if you have installed the cygwin tools and specified inclusion of OpenSSL.
  2. Install a native OpenSSL command-line utility for Windows, which can be downloaded from Win32 OpenSSL  (Shining Light Productions) or from the local Security Tools repository at Native OpenSSL for Windows.

In all cases, for both Windows and Linux (the remainder of the instructions are OS-independent), you will also need to pass a configuration file to the OpenSSL command. 

Now you're ready to run the openssl command to generate the certificate request. We'll assume that the configuration file is named osgpki-host-ssl.conf, and that it's in the current directory (from which you'll execute the command), and that your fully-qualified domain name is nonesuch.fnal.gov. To generate a certificate request given these specifics, the OpenSSL command would look like:

openssl req -new -keyout nonesuch.key -nodes -out nonesuch.req -config osgpki-host-ssl.conf

This command writes the certificate request to the file nonesuch.req in the current directory. It also writes the private key into the file nonesuch.key.

 Save the .req file so that you can reuse it when your first certificate expires and it's time to request a new host/service cert. Currently these certificates are not renewable.

You MUST protect the private key (e.g., nonesuch.key) from access by other users. We recommend that you copy the file to a removable storage device which you store in a safe and secure place, and then delete the file from your computer.

Here is an example of the screen output generated by this command:

Generating a 2048 bit RSA private key
.............+++
.........................................................................+++
writing new private key to 'nonesuch.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 DomainComponent [com]:
Level 1 DomainComponent [DigiCert-Grid]:
Certificate category [Services]:
Name (e.g., foo.bar.com) []:nonesuch.fnal.gov
 

You MUST select the default by pressing Enter in response to all the prompts except for the Name prompt where you enter the fully-qualified domain node name (nonesuch.fnal.gov in this example). You will also want to print to screen the generated certificate request (e.g., nonesuch.req) using the command:

openssl req -text -in nonesuch.req

or open it in a text editor in order to verify that the Subject is correct and then to select the Base64-encoded certificate request that is between the BEGIN CERTIFICATE and END CERTIFICATE lines for copying. Make sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines in the copied text.

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=com, DC=DigiCert-Grid, OU=Services, CN=nonesuch.fnal.gov
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c3:2e:a4:0b:ee:95:9b:49:73:e4:4a:a7:2a:97:
                    97:c8:36:95:fc:50:21:19:23:29:17:7c:73:91:f0:
                    58:1e:7d:0f:33:ad:69:cb:64:1a:82:34:91:e7:a3:
                    76:c8:d4:98:59:c1:e8:25:49:3b:f0:9e:d1:c2:60:
                    20:5d:e5:21:2a:2c:ad:7c:7a:88:78:61:49:5d:c4:
                    f7:d8:7d:ae:30:f9:b5:b2:6e:f8:64:9e:95:33:da:
                    25:a5:7c:b0:0b:af:90:5c:e5:f1:62:8f:62:80:c4:
                    2e:2f:cd:5d:28:33:92:0e:3b:fe:84:2b:66:0f:71:
                    f6:7f:72:1d:12:86:f8:8d:14:38:5f:78:ae:7c:9c:
                    a8:5b:26:70:c2:3f:e2:7f:40:09:59:cc:45:5b:c0:
                    81:16:ce:cf:c5:43:61:16:14:74:12:2e:ac:ea:0e:
                    42:52:7f:55:5f:8a:ec:a7:2f:6c:1d:08:03:34:97:
                    48:62:b8:78:80:ec:dc:c3:de:6c:eb:26:16:a0:4c:
                    0a:69:47:77:71:58:75:8f:90:f4:73:27:10:af:73:
                    11:b8:1d:4a:74:36:e1:72:85:f3:03:a6:04:b4:83:
                    43:9f:2c:61:c1:4e:91:69:02:3c:da:90:06:aa:08:
                    8b:0c:47:b9:03:9c:c0:77:b2:b0:eb:8f:db:27:44:
                    b8:25
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        1f:9d:56:9c:bc:6a:58:e5:2b:8e:ca:49:21:a9:cf:15:b0:e3:
        c9:79:aa:b5:8f:3e:d8:90:30:68:49:3c:62:d9:86:a8:8e:77:
        f4:b4:c3:a9:56:37:01:6b:8b:db:77:de:83:48:a0:29:c3:d4:
        f4:05:3e:8c:f8:35:ee:be:9d:95:bc:cd:27:57:37:45:b9:ac:
        d6:4f:e3:63:5b:ab:2e:a2:89:e1:01:ef:ec:ee:81:31:9a:27:
        8f:57:2c:4f:19:19:dc:09:25:98:be:79:9c:b8:b8:ac:0e:16:
        c8:a6:e9:db:0d:0c:23:12:f6:63:d2:8e:ec:0b:36:fe:12:94:
        ac:92:e4:50:cf:73:cc:55:9f:fd:34:43:1d:a1:f3:72:94:60:
        bf:8d:27:d2:90:0e:76:02:dc:83:42:35:a8:5d:4b:ab:86:e8:
        5b:c2:1e:81:1d:62:1b:be:41:ce:3c:2e:bb:c9:a7:e8:3e:4b:
        a0:8a:5d:0e:33:4d:85:d3:74:a6:2a:73:d0:b3:d5:18:36:d9:
        4d:8a:94:bd:00:77:02:23:28:6d:d2:5a:24:72:2a:85:da:e5:
        3d:12:f8:7b:c3:f8:e2:13:43:94:b3:a0:df:98:9c:60:ad:8e:
        b8:d8:9d:85:fd:2d:8a:7e:1c:68:8d:36:4d:c7:20:b4:94:07:
        a7:b5:23:49
-----BEGIN CERTIFICATE REQUEST-----
MIICqDCCAZACAQAwYzETMBEGCgmSJomT8ixkARkWA2NvbTEdMBsGCgmSJomT8ixk
ARkWDURpZ2lDZXJ0LUdyaWQxETAPBgNVBAsTCFNlcnZpY2VzMRowGAYDVQQDExFu
b25lc3VjaC5mbmFsLmdvdjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMMupAvulZtJc+RKpyqXl8g2lfxQIRkjKRd8c5HwWB59DzOtactkGoI0keejdsjU
mFnB6CVJO/Ce0cJgIF3lISosrXx6iHhhSV3E99h9rjD5tbJu+GSelTPaJaV8sAuv
kFzl8WKPYoDELi/NXSgzkg47/oQrZg9x9n9yHRKG+I0UOF94rnycqFsmcMI/4n9A
CVnMRVvAgRbOz8VDYRYUdBIurOoOQlJ/VV+K7KcvbB0IAzSXSGK4eIDs3MPebOsm
FqBMCmlHd3FYdY+Q9HMnEK9zEbgdSnQ24XKF8wOmBLSDQ58sYcFOkWkCPNqQBqoI
iwxHuQOcwHeysOuP2ydEuCUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAfnVac
vGpY5SuOykkhqc8VsOPJeaq1jz7YkDBoSTxi2Yaojnf0tMOpVjcBa4vbd96DSKAp
w9T0BT6M+DXuvp2VvM0nVzdFuazWT+NjW6suoonhAe/s7oExmiePVyxPGRncCSWY
vnmcuLisDhbIpunbDQwjEvZj0o7sCzb+EpSskuRQz3PMVZ/9NEMdofNylGC/jSfS
kA52AtyDQjWoXUurhuhbwh6BHWIbvkHOPC67yafoPkugil0OM02F03SmKnPQs9UY
NtlNipS9AHcCIyht0lokciqF2uU9Evh7w/jiE0OUs6DfmJxgrY642J2F/S2Kfhxo
jTZNxyC0lAentSNJ
-----END CERTIFICATE REQUEST-----
 

You can alsodownload a bash script get-host-certificate which will create a new.cert directory in the current directory and create the .req and .key files in the new.cert directory:

./get-host-certificate  nonesuch

and then proceed as above to select and copy the certificate request encoded text.

      Example:

 

     Example:

 

  Example

Authored by Fang Wang
Last modified 4 months ago