Grid Certificate Mini How-to

The Grid utilizes public key or asymmetric cryptography for authentication of users, resources and services (about cryptography see the RSA FAQ). According to the basics of public-key cryptography, each resources on the GRID has a key pair, a public and a private key. The public key is made public while the private key must be kept secret. Encryption and authorization is performed using the public key while decryption and digital signature is performed with the private key. It is important to notice that generating a key pair does not automatically provide you access to the Grid resources. A trusted authority of the Grid, called the Certificate Authority (CA) needs to sign your key pair this way confirming your identity. This signing procedure of the CA is often referred as issuing a certificate.

Within the Globus era the key file (userkey.pem) and the certificate file (usercert.pem) corresponds to the key pair of the public-key cryptography. The userkey.pem file (or resourcekey.pem) contains the private key encrypted with your password (called pass phrase in Globus). The certificate file (usercert.pem) contains your public key together with additional important informations such as the subject name of the holder of the certificate, the name of the signing CA, and the digital signature of the CA. The important role of the CA is to establish a trustful connection between the identity of the user and the public key in the certificate file. The digital signature of the CA in the user's certificate file officially declares that the public key in the file belongs to the specific user (subject name). The certificate files are encoded with the x.509 format.

In order to obtain a valid passport to the Grid you need to create a key pair and submit your public key to the CA (this process is called as a certificate request) for a signature. The CA will follow its certificate policy and upon successful evaluation of your request your public key will be signed and posted back to you. As it was mentioned before all resources (i.e. gatekeepers, users, services) require a CA-signed key pair to be able to operate on the Grid.

The globus-certreq (or grid-cert-request) command creates an unsigned key pair in your .globus directory. The userkey.pem holds your private key encoded with your pass phrase (you are prompted to supply this pass phrase during the key pair generation). This file must only be readable by its owner. The usercert_request.pem file contains your unsigned public key together with your subject name and the name of your default CA. This file should be mailed to the CA. The globus-certreq creates an empty usercert.pem file as well, you can later save your CA-signed certificate into this file. Please always remember that a Grid passport consists of two files, the private key file and the public certificate file, you need to have both of them, the certificate file (usercert.pem) alone is not enough for the Grid. If you loose one of your key files then you need to regenerate a new CA-signed key pair.

You can use the openssl cryptography toolkit and the Globus provided commands to create, check, convert between different formats, manipulate your certificate files (actually the Globus commands are just a friendly interface to the openssl toolkit). For further information please read the openssl, verify, x509 man pages, or use the Globus commands with the -help option.

Examples

Create a key pair for a user or a gatekeeper:

grid-cert-request -int

Change the pass phrase of the private key file userkey.pem:

grid-change-pass-phrase -file userkey.pem

Or using the standard openssl tools:

openssl rsa -in userkey.pem -des3

Print all the information from the public certificate file usercert.pem:

grid-cert-info -file usercert.pem -all

Print out subject (DN), issuer and validity period of a certificate (e.g., a host or a user certificate or a CA key):

openssl x509 -in <cert-filename> -subject -issuer -dates -noout

Print out hash of a certificate (e.g., a host certificate or a CA key):

openssl x509 -in <cert-filename> -hash -noout

Encode your private key with a new pass phrase and store it in the new_userkey.pem file (it first asks for your old pass phrase then twice for the new):

openssl rsa -in userkey.pem -des3 -out new_userkey.pem

Verify the usercert.pem certificate (the public key of the issuing CA is supposed to be in the CApath):

openssl verify -CApath /etc/grid-security/certificates/ usercert.pem

Display the contents of the usercert.pem certificate:

openssl x509 -noout -text -in usercert.pem

Convert your certificate from pem (Grid) format to pkcs12 (Web browsers certificate format):

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12

Convert your certificate from pkcs12 (Web browsers certificate format) to pem (Grid) format:

1. Extract user key:

openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem

2. Extract user certificate:

openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem

Display the content of the NorduGrid CA's Certificate Revocation List (CRL file):

openssl crl -in /etc/grid-security/certificates/1f0e8352.r0 -text

Obtain public key of any server (server name and port have to be known):

openssl s_client -CApath /etc/grid-security/certificates -prexit -connect <server:port> 2>/dev/null | openssl x509 > host-key.pem

Remove passphrase from the certificate (key):

openssl rsa -in key.pem -out key_nopass.pem