Certificate Request

Quick Start

  1. Log on to GridCanada public interface: https://cert.gridcanada.ca/pki/pub

  2. Click on “Request a Certificate” button

  3. Select type of certificate you wish to request by clicking on the link:

    • Personal: “User Request”

    • Host: “Server Request”

  4. Fill out the form (default fields are already pre-populated):

    • Name / Host Name

    • Email

    • PIN

  5. Click on the “Generate Report” button (second page of the form).

  6. Once the certificate is ready (usually within 2-3 business days), an email will be sent to you. It will contain a link to the site from which you it can be downloaded as well as a Certificate Revocation Number (CRIN), number required in order to revoke certificate if needed.

Certificate Revocation

Quick Start

  1. Log on to GridCanada public interface: https://cert.gridcanada.ca/pki/pub

  2. From “GridCanada Certificates” top menu, select “Revoke Certificate”.

  3. Fill in Certificate Serial Number (of the certificate you wish to revoke) as well as CRIN code which should be e-mailed to you (in encrypted form) when you received your certificate.

  4. Verify Revoked Certificate Information and click on “Sign and Submit” button.

  5. Enter the CRIN Number at the bottom of the floating box “Text Signing Request”.

  6. Please note: the status of the certificate will be changed to SUSPENDED only. Suspended certificates are certificates that have had the revocation process started but have not been revoked by the Certificate Authority (CA)

  7. Once the revocation process is completed, you will be notified by your Registration Authority (RA) by email.

Certificate Request Details

Introduction

GridCanada uses a public key infrastructure for authentication of users, resources and services. According to the basics of public-key cryptography (or asymmetric cryptography), each user and resource on the Grid has a key pair, comprising a public and a private key. The public key is made public while the private key must be kept secret. Encryption and authentication is performed using the public key while decryption and digital signature is performed with the private key. It is important to notice that generating a key pair does not automatically provide access to the Grid resources. A Certificate Authority (CA), trusted by the users and resource owners, must first sign the key pair to confirm identity. This signing procedure of the CA is referred to as issuing a certificate. Even then this does not grant authority to access grid resources — this requires authorisation from the owner of each resource. A key pair simply allows authentication of identity.

Certificates issued by the GridCanada CA are accepted by many international grid projects. As an accredited member of the The Americas Grid Policy Management Authority (TAGPMA), the GridCanada CA meets standards agreed with other CAs and with the relying parties.

Compatible Web Browsers

To apply for a certificate through the GridCanada CA Public Server you need to run one of the following browsers.

  • Mozilla 1.x or greater, including

    • Netscape

    • Firefox (recommended)

  • Opera

These browsers are available for download from their websites, and current versions are often included with Linux distributions. Limited tests with Safari and Chrome have shown they do not work correctly. The GridCanada Certification Authority does not support Microsoft Internet Explorer at this time.

Trusting the GridCanada CA

The very first step in applying for GridCanada certificate is to tell your browser that you want to trust the GridCanada CA. To do this you must install the GridCanada CA root certificate. On the CA Public Server page, follow the Get CA Certificate link. Your browser will ask you if you want to trust the GridCanada Certification Authority. You should at least agree to trust the CA to identify web sites and you may also want to agree to trust the CA to identify people (software developers and email senders) although this is not required to access GridCanada.

If you do not wish to trust the GridCanada root, that’s fine. You will just have to accept the security warning from the browser when you first enter the GridCanada web site. The GridCanada public interface, https://cert.gridcanada.ca has SSL certificates signed by the GridCanada CA itself.

You can read about how the CA is operated in its Certificate Policy and Certification Practise Statement (CP/CPS).

Applying for a User Certificate

Once you have accepted the GridCanada CA you are ready to apply online for a certificate to identify you on the grid by filling in the user certificate request form.

The public interface for the GridCanada CA can be found at https://cert.gridcanada.ca/pki/pub. Select “Request a Certificate” from the first page, when select either “User Request” or “Server Request”. The following assumes you selected “User Request”, the same instructions with minor moderations are valid for the “Server Request”

Name/HostName

These fields are for your forename and surname (in that order). (If requesting a host certificate this is the name of the server machine, without the word host/ which will be automatically appended).

Host Institution

What is required here is the most specific DNS domain name that describes the research group, department, faculty or organisation you work for. For example, someone working in the Computer Science department of the fictional Canadian University has an email address someone@uofa.ca and their website has an address of http://www.cs.uofa.ca/~someone. In this case cs.uofa.ca is the most specific DNS domain name that describes where they work. If another faculty had finer subdivisions (e.g. http://cosmic.physics.uofa.ca/\~another/) then the more specific name should be used. This isn’t an exact algorithm: if in doubt use the domain part of your email address after the @-sign. This field is used to identity you from other people at the same institution with the same name, e.g. there may be more than one John Smith of UofA.ca. Please verify the content as the content of this field gets populated authomatically.

Email Address

Your preferred email address at your institution. You will receive an e-mail from the GridCanada CA when your certificate has been signed, and is ready to be picked up. It will contain the serial number of the certificate which is needed to pick up the certificate. It must be a valid address, on a machine capable of receiving e-mail. Note; GridCanada does not accept as valid, email addresses from the public email domains: for example, gmail.com, rogers.com, shaw.ca, etc. It must be a valid Canadian institution, or known trusted institution, for example, cern.ch.

Request Certificate Role

Must be “User Certificate”. You can request several types of certificate here, for example, SSL keys for Web Servers, or e-mail certificate. However, the only tested and supported use of GridCanada certificates is in Grid and Cloud related work.

Registration Authority

You need to find your closest available Registration Authority (RA) in order to have your identity verified in person. When meeting the RA you should bring a document with your photograph such as a staff or student identity card for your institution, a passport or driver’s license. GridCanada currently has the following RAs: (fill in appropriate)

PIN

You must enter a code or password of 5 or more characters here. The value entered should not be easy to guess. It is very important that you do not enter a valuable password such as the password for your email account or for the administrator account on your computer. Please keep a note of what you enter here as the Registration Authority may ask you to supply this value in order to verify your request. This is NOT the passphrase of the private key.

Certificate Key Type

Must be RSA. Please leave alone.

Certificate Key Size

Select 2048 (High Grade) for the key size. While 1024 bits will provide strong protection there is little reason, given current computing power, not to use the stronger protection offered by a key of 2048 bits. (Note: the older GridCanada system only issued 1024 bit keys.)

Once these details have been entered you can click Continue.

Certificate Request Summary

On the next page you will be asked to check your details. Confirm that your Name, Organizational Unit, Email address, Registration and Certificate Type are correct.
Key Strength

Select High Grade for the key size. While 1024 bits will provide strong protection there is little reason, given current computing power, not to use the stronger protection offered by a key of 2048 bits. (Note: the older GridCanada system only issued 1024 bit keys.)

When you have checked your details and chosen the appropriate key size click Continue to generate your key. This will open a dialogue box while the key generation is in progress and then a “Thank You” page…

Getting a Requested Certificate

When your certificate request has been approved by the RA and the certificate issued by the CA, the CA will send an email to inform you. The email will contain one vital piece of information about your certificate: the serial number which is a code that uniquely identifies your certificate in the GridCanada CA records. Using the same web browser you used to request your certificate, follow the Install My Certificate link on the CA Public Server page. On that page, enter the serial number shown in the email, select “OK” to download the certificate. If you have a master password set for the Software Security device (the browser certificate store), please enter it when prompted. The browser may not give any visible indication that a new certificate has been downloaded, but you will find out when you perform the next step: backing up your certificate. You will also receive a second piece of mail from GridCanada. This contains additional information on the certificate including an ID code to be used if you need to revoke the certificate. This second mail has been encoded using your public certificate, and so only you can read it using your private key. However, you must have your pk12 certificate installed in your e-mail reader for this to work. For example, if you use Thunderbird, import the pk12 file from above into the Thunderbird certificate store. Note; Thunderbird does not share its certificate store with Firefox. The details are e-mail client depend, and are not covered in detail here.

Exporting Your Certificate

These instructions describe how to export your certificate from your browser. This is necessary for two reasons: firstly, you will want to have a backup of your certificate and private key in case anything happens to the copy stored in your browser: for example, some versions of some browsers may not preserve keys when upgrading to a newer version. Hard disk errors, or careless “spring cleaning” could also lead to lost keys. A backup allows you to continue to use your grid certificate in these cases. Backups should be kept securely, preferably in a safe. The passphrase for the backup should also be kept securely, in a sealed envelope, in case it is forgotten.

Secondly, it is necessary to export your certificate and private key pair in order to use to access grid resources. The instructions below describe how to extract the certificate and key pair as a bundle in PKCS#12 format, which is usually stored with a .p12 extension.

Mozilla-based Browsers

First, you need to go to the Certificate Manager component. The instructions below explain how to get there in several Mozilla-based Browsers.

Mozilla
  1. Go to Preferences (Edit menu on Linux/Windows, Mozilla menu on Mac OS)

  2. Under “Privacy & Security” go to “Certificates”

  3. Click “Manage Certificates…”

Firefox
  1. Go to Preferences (Edit menu on Linux/Windows, Firefox menu on Mac OS)

  2. Under “Advanced” go to “Certificates”

  3. Click “Manage Certificates…”

Then, once the Certificate Manager has opened:

  1. Select your certificate and click “Backup”

  2. Enter a name for the backup file, e.g. cert-backup.p12

  3. Enter the passphrase for the System Security Device (that is, the browser’s internal secure store for keys and passwords)

  4. Enter a new password to protect the backup (Note: this password is NOT the passphrase of the private key.)

Then the backup should be created with the name you specified.

Netscape
  1. Go to Communicator > Tools > Security Info

  2. Under “Certificates” go to “Yours”

  3. Select your certificate and click “Export”

  4. Enter the passphrase for the System Security Device (that is, the browser’s internal secure store for keys and passwords

  5. Enter a new password to protect the backup (Note: this password is NOT the passphrase of the private key.)

  6. Enter a name for the backup file, e.g. cert-backup.p12

Then the backup should be created with the name you specified.

Using Your Certificate With Globus

You need to copy the .p12 file containing your certificate and private key to your Grid or Cloud machine. This must be done using scp (secure copy). Under Linux, Mac OS X, BSD or other Unix-like environments, this can be done from the command line:

scp backup.p12 username@machine.ca

Windows users can use the scp command provided withCygwin, PSCP from the makers of PuTTY, or a graphical tool such as WinSCP. In any event, please protect your key pair.

Once the backup has been uploaded, the private key and certificate can be extracted with the following commands:

mkdir .globus
umask 0277

openssl pkcs12 -nocerts -in backup.p12 -out .globus/userkey.pem
openssl pkcs12 -clcerts -nokeys -in backup.p12 -out .globus/usercert_noText.pem

openssl x509 -in .globus/usercert_noText.pem -text > .globus/usercert.pem

or in the case of a host certificate; use the following commands:

openssl pkcs12 -nocerts -in backup.p12 -out .globus/hostkey.encrypted.pem
openssl pkcs12 -clcerts -nokeys -in backup.p12 -out .globus/hostcert_noText.pem

openssl x509 -in .globus/hostcert_noText.pem -text > .globus/hostcert.pem

openssl rsa -in .globus/hostkey.encrypted.pem -out .globus/hostkey.pem (Clone the key without a password)

Note: users must provide suitable protection for the private keys. It is not recommend to store the key without a pass phrase.

Remember to reset the umask to a sensible value once the key has been extracted. Otherwise any files or directories you create will have very restricted permissions.

Note: you will be asked for a passphrase when extracting the private key. Please remember this phase, if you forget the passphrase, we can’t help recover it. If you no longer wish to have your certificate pair installed in the browser, please delete it from the browser certificate store. However, in the next release of the GridCanada CA, it will be very handy to have your current GridCanada certificate installed in your browser. For example, you will need your certificate installed to renew your certificate, since the renewal process will be done via a client-side secure web interface. More on this later.

umask 0022

It is important that nobody else can read your private key as this would allow them to take a copy and attempt to decrypt it. The permissions on the keys should be as follows:

-r--r--r-- 1 username usergrp 1817 Dec 16 2004 usercert.pem
-r-------- 1 username usergrp 1913 Dec 16 2004 userkey.pem

If the permissions on the files are not correct then they can be reset:

chmod 0444 usercert.pem
chmod 0400 userkey.pem

General Notes

The System Security Device password is entirely local to your browser and will have been set by you or your system administrator in the past. If you don’t have this password then unfortunately we can’t help you to export your certificate.

As mentioned above, the GridCanada Certification Authority does not support Microsoft Internet Explorer, Safari or any other browsers except recent versions of Mozilla and Netscape. It should be possible to import the .p12 backup of your certificate and private key into an unsupported browser to access secure web pages. For example, if you import the p12 file in Internet Explorer, you will also be able to read the encrypted mail from GridCanada via Outlook, since they share the certificate store.

Certificate Revocation Details

Introduction

GridCanada issued certificates automatically expire after one year unless they are renewed. A certificate owner should revoke his or her certificate immediately after he or she has reason to believe the certificate may have been compromised. The following are the additional options available for the reason of certificate revocation:

  • unspecified

  • keyCompromise

  • CACompromise

  • affilliationChanged

  • superseded

  • cessationOfOperation

  • certificateHold

  • removeFromCRL - should be used only in DeltaCRLs prior removing the certificate from the revoked list - GridCanada does not support this feature.

The certificate owner must remember and use the Challenge Phrase which he or she chose during the certificate enrollment process in order to revoke his or her digital certificate.

Certificate Revocation Instructions

The following are the steps in certificate revocation.

  1. From the top menu panel select “GridCanada Certificates” → “Revoke GRID Certificate”.

  2. A new page “Certificate Revocation Request” will appear. User will be required to enter the following information:

    • Certificate Serial Number

    • Revocation Reason – select from the drop-down menu (options provided above)

    • Reason Description – enter appropriate reason or leave the default content

    • CRIN Code – unique revocation code provided inside encrypted email when the certificate was originally created and notification was sent to the user. .Click on the “Continue” button.

  3. A new page “Confirm Revocation Request” will be presented. Verify correctness of data and click on the button: “Submit Request” (this will process revocation request without signing).

  4. If the data entered was correct and the request has been processed successfully, a page with a confirmation message will appear. Please note: the status of the certificate will be changed to SUSPENDED only. Suspended certificates are certificates that have had the revocation process started but have not been revoked by the Certificate Authority (CA). Once the certificate is suspended, the Registration Authority (RA) will add it to the Certificate Revocation Request (CRR) list which will be then forwarded to and processed by the CA side. The certificate will be valid until the actual revocation by the CA takes place and the REVOKED certificate is imported back to the RA.

  5. To verify the current status of your certificate: go to the top menu panel and select “Information”, then the option which applies: “Valid Certificates, “Suspended Certificates”, “Revoked Certificates” etc. The screen shows 20 certificates at a time. The user can select individual certificate scroll through the pages listing suspended certificates and narrow the information down to particular certificate by clicking on Serial (certificate’s serial number presented in hexadecimal form) and clicking on "More info…" link.

  6. Once the status of certificate has been changed to SUSPENDED, it automatically gets added to Certificate Revocation Request (CRR).