Grid Canada | GC Certificate Authority

gc home

about gc

gc mailing lists

external links

gc certificate authority

gc testbed information

gc gridx1

gc recommended software

The GC Certificate Authority (CA) is a service that grants security certificates to users and services so they can authenticate each other within a security infrastructure.

The Current Root Certificate

GC CA Certificate: bffbd7d0.0
GC CA Certificate Signing Policy: bffbd7d0.signing_policy
GC CA Certificate Revocation List: bffbd7d0.r0

The Old Root Certificate

The old Grid Canada root certificate expires in April of 2007. Your user and host certificates signed with this root will continue to work through to this date. We do not sign new certificates requests or renewals with this root, only with the new root above.

GC CA Certificate: 5f54f417.0
GC CA Certificate Signing Policy: 5f54f417.signing_policy
GC CA Certificate Revocation List: 5f54f417.r0

CP/CPS

Review the latest GC CA Certificate Policy and Certification Practice Statement [pdf] and send your comments to <ca@gridcanada.ca>.

Note that anyone issued a Grid Canada certificate can not, by default, access the resources of a host that also has a Grid Canada certificate or can accept certificates signed by the Grid Canada CA. Anyone who wants to use the resources of a host must first contact its administrator directly to be added to the access control list of that host.

Using the Grid Canada Certificate Authority

The certificates issued by this CA are standard X.509 certificates. The certificates can be used in a variety of contexts. Anywhere that SSL is used, for example, the issued certificates can be used.

However, the only currently supported uses of certificates signed by this CA are with the Globus Security Infrastructure (GSI). The following instructions allow you to modify your Globus installation to authenticate with others who have certificates signed by the Grid Canada CA as well as the default Globus CA (or, indeed, any other CA you add in a similar way).

In addition, these instructions allow you to set the default CA used by Globus' certificate request mechanism. Certificate requests sent to the Grid Canada CA are meant to be generated by the Globus Toolkit.

Installing Under the Globus Toolkit 2.x

As the Globus administrator, download and save the GC CA bundle, install it using

$GLOBUS_LOCATION/sbin/globus-build -install-only \

    globus_simple_ca_bffbd7d0_setup-0.18.tar.gz

$GPT_LOCATION/sbin/gpt-install \

    globus_simple_ca_bffbd7d0_setup-0.18.tar.gz

then run the post-install script

$GLOBUS_LOCATION/setup/globus-postinstall.sh

As root, run the GSI setup script

$GLOBUS_LOCATION/setup/globus/setup-gsi

Your Globus deployment is now ready to accept connections from clients with certificates signed by the GC CA. If you want to make the GC CA the systems default CA when making certificate requests, still as root, run

$GLOBUS_LOCATION/bin/grid-default-ca

You can always change the default CA back to what it was by running this again.

Now when a user wants to generate a certificate request they proceed as usual with

$GLOBUS_LOCATION/bin/grid-cert-request

and the default CA is used, but they also now have the option of using the -ca flag,

$GLOBUS_LOCATION/bin/grid-cert-request -ca

which will let them choose from among similarly installed CA's.

For more information about setting up and using Globus security mechanisms, visit the GSI pages.

Last modified: 2006 May 3
Contact: <gc-webmaster@gridcanada.ca>