Recommendations:

or should we say that You Must at least get acquainted with the following documents in order to know what they contain and what answers they provide:

 

For GRID Users this is a must:

The gLite user guide

pdf:  gLite 3.1 User Guide

For all users:

This is BG.ACAD CA Certificate Policy and Certification Practice Statement (CP/CPS) :

http://ca.acad.bg/policy.html

 

Prerequisites:

·         Currently certificate requests are generated under Linux OS only ( UNIX, FreeBSD and the likes as well)

·         OpenSSL must be installed on the machine.

·         When requesting user certificate for the GRID infrastructure, it is strongly recommended that the user has and provide a corporate (institutional) e-mail account (and NOT one offered by free public service i.e. hotmail.com, abv.bg etc)

·         Users must obtain a declaration (official note) from their Institute/Employing Organization certifying that they are employees of that organization.

·         In the case when one (usually an administrator) requests a Host Certificate, she/he must obtain a declaration (official note) from their Institute/Employing Organization certifying that they are authorized to administrate the host/service in question.

 

Steps for requesting a user certificate:

 

1.      Download the following script and then execute it on the machine that is meant to store your key pair.

(Usually this should be the User Interface Node.) Follow the onscreen instructions.

This script will generate your private key and your certificate request file (CSR).

NOTE ! : As a general precaution you must not execute the script as root.

 

2.      Put the certificate request file (it will be named like this - i.e  people-Ivan_P._Dimitrov_-20070505-083333.pem ) on a removable storage (a floppy disk, CD/DVD or a flashdrive). Remember, we need ONLY this file on the removable storage media; NEVER put there your private key.

Important !!!: The private key associated with your certificate should:

• be stored in a file which is only readable by you
• not be stored somewhere visible on the network (e.g. not in an NFS mounted directory)
• be protected by a strong password. Help with choosing a secure password is available here http://security.web.cern.ch/security/passwords
• never shared with anybody else.
• We must emphasize this again: when you take your CSR to the RA on a flash drive, do NOT put your private key (userkey.pem) on the flash, together with the request.

Failure to observe the above rules will result in you being denied the issuance of a Certificate as well as denied access to LCG GRID resources !

3.      Contact one of our Registration Authorities (RA) to make an appointment.

4.      Meet the RA in person. You must bring with you:

·         valid Identitification Document - Identity Card, Driver's License, or Passport

·         the declaration (official note) from your Institute/Employing Organization certifying that you are an employee of that organization.

·         the removable media on which you store your CSR. It will be copied by the RA and the removable media will be returned to you.

When you meet the RA, you will have to sign the following statement that you have read the CP/CPS, so please make sure you have done so.

 

5.      Within 5 working days BG.ACAD CA will issue your Digital Certificate and publish it in the online repository.

 

Steps for requesting a host certificate:

 

1.      Download the following script and then execute it on the machine that is meant to store the host’s key pair.

Follow the onscreen instructions.

This script will generate the host’s private key and certificate request file (CSR).

NOTE ! : As a general precaution you must not execute the script as root.

 

2.      In case when you already possess a valid USER certificate, you can compose and send an e-mail to oper...@ca.acad.bg directly with subject "Host Certificate Request".

Copy/paste into the e-mail the following statement while filling the necessary information;

Attach the host’s certificate request file (it will be named like this - i.e hosts-xeon.university.bg-20070411-123540-cert.pem );

Sign the whole e-mail message with your personal USER certificate.

 

You can now skip steps 3, 4 and 5;

 

3.      If you do not have USER certificate you must put the certificate request file (it will be named like this - i.e hosts-xeon.university.bg-20070411-123540-cert.pem ) on a removable storage (a floppy disk, CD/DVD or a flashdrive). Remember, we need ONLY this file on the removable storage media; NEVER put there the private key of the host.

Important !!!: The private key associated with the host’s certificate should:

• be stored in a file which is only readable by you
• not be stored somewhere visible on the network (e.g. not in an NFS mounted directory). Even when encryption of the private key is either impossible or does not constitute a benefit for the key security (i.e. service certificate in automated environments),and the private key may be kept in unencrypted form. In any case, the physical and electronic access to the private key must be kept appropriately restricted at all times.
• never be shared with anybody else.
• we must emphasize this again: when you take the host’s CSR to the RA on a flash drive, do NOT put the private key  on the flash, together with the request.

Failure to observe the above rules will result in you being denied the issuance of a Host Certificate !

4.      Contact one of our Registration Authorities (RA) to make an appointment.

5.      Meet the RA in person. You must bring with you:

·         valid Identitification Document - Identity Card, Driver's License, or Passport

·         the declaration (official note) from their Institute/Employing Organization certifying that they are authorized to administrate the host/service in question.

·         the removable media on which you store your CSR. It will be copied by the RA and the removable media will be returned to you.

When you meet the RA, you will have to sign the following statement that you have read the CP/CPS, so please make sure you have done so.

 

 

6.      Within 5 working days BG.ACAD CA will issue your Digital Certificate and publish it in the online repository.

 

Steps in order for the user to be able to actually make use of his own certificate:

 

On the UI node

 

·         Update the lcg-CA distribution OR install the latest rpm with BG.ACAD root certificate:

 

If you have installed using yaim, or have otherwise configured apt-get on your 

nodes, you can update/install the CAs with:

# apt-get update && apt-get -y install lcg-CA

If you prefer to install manually, the rpms can be found at

http://repository.egi.eu/sw/production/cas/1/current/RPMS/

After downloading it, one can install BG.ACAD CA rpm with the following command (Note: Select the recent version which is found in the above link):

#rpm -Uvh ca_BG-ACAD-CA-1.70-1.noarch.rpm

·         put your certificate in  ~/.globus  directory of the UI node

·         rename your certificate to usercert.pem , i.e.:

#mv people-Ivan_P._Dimitrov_-20070505-083333.pem usercert.pem

·         change attributes of the files if necessary

#chmod 400 userkey.pem

#chmod 644 usercert.pem

At this point your certificate and private key must be located in the .globus directory in your home. In the standard LCG setup your private key is found at: ~/.globus/userkey.pem and your certificate at: ~/.globus/usercert.pem.

·                In order to import your private key and certificate in your browser you must create a pkcs12 bundle. This can be achieved by issuing the command:

#openssl pkcs12 -export -in ~/.globus/usercert.pem -inkey \
~/.globus/userkey.pem -name "My Certificate" \
-out mycertificatebundle.p12

Where -

userkey.pem	is the path to your private key file (This should be set with permissions so that only you can read it.)
usercert.pem	is the path to your certificate file.
mycertificatebundle.p12	is the path for the output PKCS12 format file to be created.
"My certificate"	is an optional name which can be used to select this certificate in the browser after you have loaded it if you have more than one loaded.

After issuing the above command, you will be asked to enter the pem pass phrase. This is the pass phrase you entered during the initial process of creating the certificate request. Next you will have to enter an export password for the pkcs12 bundle and you will have to use it during the import procedure.

·                Transfer the pkcs12 bundle to the computer where your Web Browser and E-mail Client programs reside..

·                Download BG.ACAD CA root certificate here: http://ca.acad.bg/ca_cert/bg_acad_ca-cacert.der

·                Now you have to import both BG.ACAD CA root certificate, and your pkcs12 certificate bundle you just created in the web browser and e-mail client of your choice .

·                      Import BG.ACAD CA root certificate in Internet Explorer:

File menu , Open. Navigate to the bg_acad_ca-cacert.der file that you downloaded in the previous step and open it. Choose "install certificate" and follow instructions until the certificate is "successfully installed"

·                      Import BG.ACAD CA root certificate in Mozilla Firefox:

Tools menu , Options. Choose "advanced" section, and then "encryption" tab. Now click on "view certificates" button and then on "authorities" tab. Click "import".

Navigate to the bg_acad_ca-cacert.der file that you downloaded in the previous step and open it.

A Window will pop up. Enable the following options:

·                             Trust this CA to identify web sites.

·                             Trust this CA to identify email users.

·                             Trust this CA to identify software developers.

and then click OK on all following dialogues (three times)

 

·                      Import your pkcs12 bundle - the procedure depends on what browser/version do you use and read the corresponding help.

This page was last updated on 14.01.2016