Grid Roll: Users Guide: 
| ||
|---|---|---|
| Prev | Chapter 3. Using | Next |
This section discusses how to use the Globus Simple CA, and Rocks software to manage user certificates. If you plan to use a different CA system please refer to the documentation for that CA.
Creating a Globus User Certificate, regardless of the CA system, involves the following steps:
User creates a certificate request.
Certificate Request is sent to the CA system. The Grid Roll skips this step, and the root account directly reads the Certificate Request out of the user's home directories.
The CA system creates a Globus User Certificate and returns it to the user.
The advantage of using the Simple CA (and the Rocks Grid Roll) to provide CA services is that these steps can be completed in minutes, rather than the standard practice of waiting hours to days for a certificate.
Users may request certificates using the Globus command grid-cert-request. In the following sample output a certificate request is generated for the user with a Common Name (CN) of "Spaceman Spiff". The rest of the DN is picked up from the configuration of the CA, which was done at installation time.
 | Although the grid-cert-request command instructs that you email you certificate request this step is not necessary when using the Grid Roll. |
$ grid-cert-request Enter your name, e.g., John Smith: Spaceman Spiff A certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. Using configuration from /etc/grid-security/globus-user-ssl.conf Generating a 1024 bit RSA private key .....++++++ .......................................++++++ writing new private key to '/home/gridboy/.globus/userkey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- you are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Level 0 Organization [Grid]:Level 0 Organizational Unit [San Diego Supercomputer Center]:Level 1 Organizational Unit [rocks12.sdsc.edu]:Level 2 Organizational Unit [sdsc.edu]:Name (e.g., John M. Smith) []: A private key and a certificate request has been generated with the subject: /O=Grid/OU=San Diego Supercomputer Center/OU=rocks12.sdsc.edu/OU=sdsc.edu/CN=Spaceman Spiff If the CN=Spaceman Spiff is not appropriate, rerun this script with the -force -cn "Common Name" options. Your private key is stored in /home/gridboy/.globus/userkey.pem Your request is stored in /home/gridboy/.globus/usercert_request.pem Please e-mail the request to the Globus Simple CA root You may use a command similar to the following: cat /home/gridboy/.globus/usercert_request.pem | mail root Only use the above if this machine can send AND receive e-mail. if not, please mail using some other method. Your certificate will be mailed to you within two working days. If you receive no response, contact Globus Simple CA at root |
Only the root account is permitted to issue user certificates using the locally installed Simple CA. After one, or more, users have run grid-cert-request, the root use must log in and run local-ca-sign. In the following example, a certificate request is found, a certificate issued, and the grid-mapfile populated with an entry for the user.
# local-ca-sign Enter CA passphrase: Enter password for the CA key: The new signed certificate is at: /root/.globus/simpleCA//newcerts/03.pem /etc/grid-security/grid-mapfile does not exist... Attempting to create /etc/grid-security/grid-mapfile (1) entry added |