Spanish Datagrid Project

Certification Authority (CA) for the Datagrid Project in Spain

The use of this Certification Authority is limited to the Datagrid Project test bed.

DATAGRID-ES CA certification service is run with a reasonable level of security and the identity of the requester is checked, but is provided in a best effort basis and we can not give any guarantee about the service security. DATAGRID-ES CA policy

X.509 certificates are provided for users and machines as needed by the Globus Security Infraestructure.

>>>>> How to obtain a certificate
To obtain a certificate the requester must be a valid datagrid-es collaborator.
Contact your local Registration Authority (RA) for HELP.
  1. CREATE A CERTIFICATE REQUEST FILE:
    To obtain a personal certificate under Globus use command grid-cert-request
    For machines certificates the certificate is automatically created in /opt/globus/etc/globus-gatekeeper.request in the globus installation.
    PERSONAL DNs must look like:
    '/C=ES/O=DATAGRID-ES/O=IFCA/CN=Rafael Marco de Lucas'
    Only certificates for REAL people are acepted. Please do not ask for anonymous certificates (ie. for user globus).
    MACHINE DNs must look like:
    '/C=ES/O=DATAGRID-ES/O=IFCA/CN=grid001.ifca.unican.es'
  2. SEND BY EMAIL YOUR REQUEST FILE to datagrid-es-ca@ifca.unican.es and to your RA
    Registration Authorities (RAs)
    IFAE pacheco@ifae.es
    IFCA rmarco@ifca.unican.es
    IFIC nicanor.colino@ciemat.es
    CIEMAT salt@ific.uv.es
    UAM jose.del.peso@uam.es
    UNIOVI cuevas@ifca.unican.es

  3. DO NOT DELETE THE KEY FILE NOR REQUEST FILES USED.
    Remember there no exist copy of your private key; if you lose it your certification will have to be revocated and you will need to restart the request.
    Wait until you receive an answer (no more than 1 working day if there is no problem to check the authenticity of the request)
  4. MAKE A BACKUP copy of your private key and request files, and put it in a secure place
    USER CERT: directory: $HOME/.globus , files: userkey.pem , usercert.pem , usercert_request.pem
    MACHINE CERT: directory: /opt/globus/etc , files: globus-gatekeeper.key , globus-gatekeeper.cert , globus-gatekeeper.request

>>>>> Obtaining the DATAGRID-ES CA certificate
It is needed to verify the authenticity of issued DATAGRID-ES certificates.
To install CAs certificates in Globus:
  1. Download the key file: 90e2484f.0 and copy it (do not change the name) to the directories:
    /usr/local/globus/globus/share/certificates
    /opt/globus/share/certificates
    # lynx -dump http://www.ifca.unican.es/datagrid/ca/90e2484f.0 > <filename>
  2. Change the protection of the file to 644 and set root as owner of the files
    #chown 644 <filenames>
    #chown root <filenames>

  3. Updated the CA signing policy: /opt/globus/share/certificates/ca-signing-policy.conf
    Add the lines:
    # EACL entry #2|
    access_id_CA  X509   '/C=ES/O=DATAGRID-ES/CN=DATAGRID-ES Certification Authority'
    pos_rights    globus CA:sign
    cond_subjects globus '"/C=ES/O=DATAGRID-ES/*"'

>>>>> Obtaining the DATAGRID-ES CA Revocation List (CRL)
The most recent DATAGRID-ES CA Revocation Lists can be downloaded here: datagrid-es-crl.pem
(still there is no revocations)

For comments contact Rafael Marco de Lucas (rmarco@ifca.unican.es +34 942 201413)
© Instituto de Física de Cantabria (IFCA), 2001.