How to get an OSG PKI Certificate for Fermilab Hosts or Services (Grid and Web)
Getting a host/service certificate involves using OpenSSL to generate a certificate request and a private key which you then provide to OSG PKI via its website to generate a certificate. If the certificate is for a service, you will need to import the certificate into your service application and configure it; these steps are application dependent. If it is for a host, instructions are provided in the OSG CE Install Guide (especially How to get host and service certificates) and at Fermilab in How to get your website to run SSL.
Get Certificates for Grid Host/Services using Globus Toolkit (Linux)
Instructions for users of FermiGrid are available at the FermiGrid website.
Instructions for users of Open Science Grid are available in the OSG CE Install Guide. These instructions assume that the OSG CE package (based on the Virtual Data Toolkit, VDT) is installed on your machine. The only required package for getting host/service certificates, however, is the Globus Toolkit, which is packaged with VDT.
See the Fermilab Grid Access Control Policy.
Get Certificates for Web Host/Services via the Command Line (Linux)
The OSG provides a package of command line utilities for Linux to simplify requesting host/service certificates. Documentation on these utilities and links to download the RPMs to install the packages can be found at OSG Command Line Clients. As with all the OSG TWiki sites, you do not need a certificate to access the documentation. But if you have one or more certificates installed in your browser you will get a certificate selection pop-up window. You can safely Cancel this request and proceed to read the documentation.
Get Certificates for Web Host/Services (UNIX/Linux and Windows) via the Web
In order to request a web host certificate from the OSG PKI CA, a certificate request must be generated using a recent version of OpenSSL. Versions 0.9.7a and later of OpenSSL are known to work successfully with OSG PKI.
OpenSSL is already available in Fermi Linux. In Linux, the OpenSSL version can be checked with the command:
If OpenSSL is not installed on your system, use "yum install openssl" to install it.
For Microsoft Windows, a command-line version of OpenSSL is available in any of the following ways:
- As part of Cygwin, if you have installed the cygwin tools and specified inclusion of OpenSSL.
- Install a native OpenSSL command-line utility for Windows, which can be downloaded from Win32 OpenSSL (Shining Light Productions) or from the local Security Tools repository at Native OpenSSL for Windows.
In all cases, for both Windows and Linux (the remainder of the instructions are OS-independent), you will also need to pass a configuration file to the OpenSSL command.
Now you're ready to run the openssl command to generate the certificate request. We'll assume that the configuration file is named osgpki-host-ssl.conf, and that it's in the current directory (from which you'll execute the command), and that your fully-qualified domain name is nonesuch.fnal.gov. To generate a certificate request given these specifics, the OpenSSL command would look like:
openssl req -new -keyout nonesuch.key -nodes -out nonesuch.req -config osgpki-host-ssl.conf
This command writes the certificate request to the file nonesuch.req in the current directory. It also writes the private key into the file nonesuch.key.
Save the .req file so that you can reuse it when your first certificate expires and it's time to request a new host/service cert. Currently these certificates are not renewable.
You MUST protect the private key (e.g., nonesuch.key) from access by other users. We recommend that you copy the file to a removable storage device which you store in a safe and secure place, and then delete the file from your computer.
Here is an example of the screen output generated by this command:
Generating a 2048 bit RSA private key
writing new private key to 'nonesuch.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Level 0 DomainComponent [com]:
Level 1 DomainComponent [DigiCert-Grid]:
Certificate category [Services]:
Name (e.g., foo.bar.com) :nonesuch.fnal.gov
You MUST select the default by pressing Enter in response to all the prompts except for the Name prompt where you enter the fully-qualified domain node name (nonesuch.fnal.gov in this example). You will also want to print to screen the generated certificate request (e.g., nonesuch.req) using the command:
openssl req -text -in nonesuch.req
or open it in a text editor in order to verify that the Subject is correct and then to select the Base64-encoded certificate request that is between the BEGIN CERTIFICATE and END CERTIFICATE lines for copying. Make sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines in the copied text.
Version: 0 (0x0)
Subject: DC=com, DC=DigiCert-Grid, OU=Services, CN=nonesuch.fnal.gov
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
You can alsodownload a bash script get-host-certificate which will create a new.cert directory in the current directory and create the .req and .key files in the new.cert directory:
and then proceed as above to select and copy the certificate request encoded text.
- Now go to the OSG OIM page and, if necessary, click the + Request New item under the Host Certificates menu on the left side of the page.
- Fill out the required text fields with your contact information (name, e-mail address and phone number) as the server administrator and the captcha.
- Paste the copied text (again, from BEGIN CERTIFICATE REQUEST to END CERTIFICATE REQUEST, inclusive) into the large text entry box labelled CSR (Certificate Signing Request). This box displays a certficate request in dim grey text.
- A pull-down menu labelled VO Approver for fnal.gov should appear below the CSR text box. Choose the appropriate Virtual Organization (probably OSG).
- In the comments text box, please describe the purpose of the certificate being requested as well as your Fermilab division and department or experiment to assist the personnel who will assess and approve your certificate request.
- Read through the OSG Policy Agreement and check the I Agree box below this text and then click the Submit button.
- Upon submission, your request will be forwarded to the appropriate approver per the affiliation you selected.
- After your request has been accepted and signed by OSG (it may take a few hours), you will receive an email message with a link to retrieve your newly signed certificate.
- Navigate to the URL given in the email message.
- Separately, create a new text file on your system into which you will copy your certificate content. (It will become the pem file which you will import.)
- Select and copy the contents from the section 'Base 64 encoded certificate' starting with the
-----BEGIN CERTIFICATE----- header and ending with the
-----END CERTIFICATE----- footer. Be sure to include the header and footer.
- Paste this content into your new text file.
- Open the key file, e.g., nonesuch.key, in an editor. Select all the text in this file, including the lines BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY.
- Paste this text into the end of the new text file file into which you previously pasted the certificate from the OSG PKI website. The new file should now look similar to this:
- Save this file as <your FQDN hostname>.pem (e.g., nonesuch.fnal.gov.pem). Save it in a secure, non-network-accessible place!
- Depending on your OS and web service, you may need to convert this file before you import it.
- For Apache web services on Linux, no conversion is necessary; see Setting up an SSL server with Apache.
- For IIS web services on Windows, it needs to be in PKCS#12 format; see Configuring an IIS Web server to use SSL and Configuring User Certificate Authentication for IIS.