Table of Contents

Managing Certificates

(not everything has been tested)

A Basic Introduction to Public-Key-Cryptography

All this business with certificates uses public-key cryptography. The basic idea is, that everyone has a key-pair consisting of a private and a public key. As the name suggests the private key is kept private, the public one is made public. Messages encrypted with one of the keys can only be decrypted with the other. We will now look at the most common ways to use this fact.

Private Messages

If anyone wants to send you a private message. He takes your public key and encrypts his message. Since only you know the private key, only you will be able to decrypt and read the message.

Authentication/Signing

If you encrypt a message with your private key, everyone will be able to decrypt and read it. But since only you could have encrypted the message this proofs your identity. This idea can in addition be used to electronically sign a document.

This is what you use when initializing a grid-proxy or when you log into a website with your certificate.

There is still a problem with this setup. How do you distribute your public keys? Since you will authenticate your self using this key, you need to make sure that the key arrives at its destination untampered. In addition the distribution needs to happen over the internet - nothing else would be possible for a system like the Grid.

Certificates

A possible solution for this are certificates. A certificate is a document that contains your public key (and maybe other information about you). It has to be signed by a Certificate Authority (CA). With it's signature the Certificate Authority confirms that they checked your identity and that the information in the certificate is valid.

Obviously the certificate is useless without the private key belonging to it or once the private key got compromised. So make sure to protect your private key properly, nobody else should be able to get the file with it and you should not loose it.

After you obtained a certificate, distributing your public key is easy. You send certificate to your partner. He checks the signature from the Certificate Authority. If the signature is valid, he can trust the your public key.

(Of course now the problem is how to distribute the public key of the Certificate Authority. Still this is a comparatively easy problem.) CERN has its own Certificate Authority. You find its website under https://ca.cern.ch.

Obtaining a key-pair and certificate from CERN

New Certificate Authority

  1. Request a new user Certificate. (use Firefox, this may not work other browsers)

other useful things

from your private key you can generate the corresponding public key

openssl rsa -in privkey.pem -pubout

you can print all the information stored in your certificate

openssl x509 -text -noout -in certificate.pem

create a pkcs12 file (used by web-browsers)

(tested with Firefox and Opera) To use the certificate for authentication on websites you need to combine the certificate and the private-key into a pkcs12 file

openssl pkcs12 -export -inkey privkey.pem -in certificate.cer -out combined.p12

You can then import this file into the certificate configuration of your browser (Firefox: edit > preferences > advanced > view certificates)

export from a pkcs12 file

export the certificate

openssl pkcs12 -clcerts -nokeys -in combined.p12 -out certificat.pem

export the private key

openssl pkcs12 -nocerts -in combined.p12 -out privkey.pem

if you work on a SLC machine, you can also use a special script for this:

cert-convert.sh combined.p12

Outdated

The explanation below is outdated. CERN does not sign certificate requests for existing keys any longer. You will have to generate a new pair with a private-key and certificate every year.

Getting Started (generate a first key pair and certificate)

First you will need to generate a key pair and prepare a certificate request. For this you log into lxplus and change to the private directory. There you run

openssl req -new -out myrequest.csr # request a new certificate and  store it in myrequest.csr

Since you specified no private key the command above generates a private key first. You get asked for a password to secure your private key with. Choose a good one and do not forget it. After that you can provide additional information about yourself if you want. You can just press enter if you want. When done you have two files in your current directory. privkey.pem will contain your private key, myreqeust.csr contains the certificate request.

The next step is to get the certificate request signed by the Certificate Authority. Select Request or renew user certificate manually on https://ca.cert.ch. After you passed the identity check a from with one large text box will be shown to you. Copy and paste the content of myrequest.csr into the form.

After submitting the form you get back a .cer file containing your certificate. I recommend you safe this under something like cert_YYYY-MM-DD.cer.

Preparing for Grid Usage (on lxplus)

To use your certificate for the grid you need to copy the two files in ~/.globus with the following names:

certificat: usercert.pem
privat key: userkey.pem 

It is a good idea to create a symbolic link instead of a copy. This helps you to know which certificate you actually use.

You can then test your setup by calling

lhcb-proxy-init

Obtaining a New Certificate (renewal)

You can not really renew an old certificate. Instead you need to acquire a new certificate for your existing key-pair.

openssl req -new -key privkey.pem # request a new certificate using your private key

The next step is now again to copy and paste the certificat request into the form of the Authority. Again you get a signed certificate back and store it with a helpful name. Probably you will then want to update your files in ~/.globus, so copy the .cer into that directory and replace the symlink for usercert.pem.