UZH

Physik-Institut

LHCb Wiki Pages

User Tools

Site Tools

Trace: optimisation
cern:certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
cern:certificates [2011/10/03 11:47] – tmp nchiapcern:certificates [2014/07/22 21:10] (current) – [New Certificate Authority] nchiap
Line 1: Line 1:
 ====== Managing Certificates ====== ====== Managing Certificates ======
-(still to be improved)+(not everything has been tested)
 =====A Basic Introduction to Public-Key-Cryptography===== =====A Basic Introduction to Public-Key-Cryptography=====
-All this business with certificates uses public-key cryptography. The basic idea is, that everyone has a key-pair consisting of **a private and a public key**. As the name suggests the private key is kept private, the public one is made public. Messages encrypted with one of the keys can only be decrypted with the other. We will now look at the three most common ways to use this fact.+All this business with certificates uses public-key cryptography. The basic idea is, that everyone has a key-pair consisting of **a private and a public key**. As the name suggests the private key is kept private, the public one is made public. Messages encrypted with one of the keys can only be decrypted with the other. We will now look at the most common ways to use this fact.
  
 ==== Private Messages ==== ==== Private Messages ====
Line 17: Line 17:
  
 ==== Certificates ==== ==== Certificates ====
-A possible solution for this are certificates. A is a document that contains your public key and other information about you. It has to be signed by a Certificate Authority (CA). With it's signature the Certificate Authority confirms that they checked your identity and the information in the certificate is valid.+A possible solution for this are certificates. A certificate is a document that contains your public key (and maybe other information about you). It has to be signed by a Certificate Authority (CA). With it's signature the Certificate Authority confirms that they checked your identity and that the information in the certificate is valid.
  
-Obviously the certificate is useless without the private key belonging to it or once the private key got compromised. So make sure to protect your private key properly, nobody else should be able to get the file with it.+Obviously the certificate is useless without the private key belonging to it or once the private key got compromised. So make sure to protect your private key properly, nobody else should be able to get the file with it and you should not loose it.
  
 ===== =====
Line 26: Line 26:
  
 (Of course now the problem is how to distribute the public key of the Certificate Authority. Still this is a comparatively easy problem.) (Of course now the problem is how to distribute the public key of the Certificate Authority. Still this is a comparatively easy problem.)
 +CERN has its own Certificate Authority. You find its website under [[https://ca.cern.ch]].
  
  
-=====Doing the work===== +===== Obtaining a key-pair and certificate from CERN =====
-CERN has its own Certificate Authority. You find its website under [[https://ca.cern.ch]].+
  
-==== getting started ==== 
-First you will need to generate a key pair and prepare a certificate request. 
-For this you log into lxplus and change to the private directory. There you run  
-  openssl req -new -out myrequest.csr -sha1  # ceate a new key-pair and prepare a certificate request 
-The command above generates two files. **privkey.pem** will contain your private key,  
-**myreqeust.csr** contains the certificate request. 
  
-The next step is to +==== New Certificate Authority ==== 
 +  - Request a [[https://gridca.cern.ch/gridca/user/Request.aspx | new user Certificate.]] (use Firefox, this may not work other browsers) 
 +  - Follow [[https://gridca.cern.ch/gridca/Help/?kbid=024010 | How to use your certificate with grid-proxy-init.]]
  
  
  
 +=====other useful things =====
  
-from your private key you can generate the corresponding public key: +====print public key==== 
-  openssl rsa -in privatkey.pem -pubout +from your private key you can generate the corresponding public key 
-(you use the RSA backend with your privat-key as input and output the public key) +  openssl rsa -in privkey.pem -pubout
-The public key is what other people can use to send you encrypted messages - +
-or decrypt things you encrypted with your private key.+
  
-====obtaining a new certificate (renewal)==== +====print certificate details==== 
-you can as well prepare a certificate request: +you can print all the information stored in your certificate 
-  openssl req -new -key privatkey.pem # request a new certificate that confirms your private key+  openssl x509 -text -noout -in certificate.pem
  
-certificate contains info about you and is signed with the   +==== create a pkcs12 file (used by web-browsers) ==== 
-private key of you and the Certificat Authority.+(tested with Firefox and Opera)  
 +To use the certificate for authentication on websites you need to combine the certificate and the private-key into a pkcs12 file 
 +  openssl pkcs12 -export -inkey privkey.pem -in certificate.cer -out combined.p12 
 +You can then import this file into the certificate configuration of your browser  
 +(Firefox: edit > preferences > advanced > view certificates)
  
-So the next step is to upload the certificat request to the Authority +==== export from a pkcs12 file==== 
-from where you get signed certificat.+export the certificate 
 +  openssl pkcs12 -clcerts -nokeys -in combined.p12 -out certificat.pem 
 +export the private key 
 +  openssl pkcs12 -nocerts -in combined.p12 -out privkey.pem 
 +   
 +if you work on SLC machine, you can also use a special script for this: 
 +  cert-convert.sh combined.p12 
 +===== Useful Links===== 
 +  * [[http://www.madboa.com/geek/openssl/]] 
 +  * [[http://ca.cern.ch/]] 
 +  * [[https://twiki.cern.ch/twiki/bin/view/LHCb/FAQ/Certificate]] 
 +  * [[https://lcg-voms.cern.ch:8443/vo/lhcb/vomrs]] 
 +====== Outdated ====== 
 +The explanation below is outdated.  
 +CERN does not sign certificate requests for existing keys any longer. 
 +You will have to generate a new pair with a private-key and certificate every year.
  
-====using the certificate==== +=====Getting Started (generate a first key pair and certificate===== 
-===for web-browsing=== +First you will need to generate key pair and prepare a certificate request. 
-to use the certificate in browser (firefox or opera) you need to combine the  +For this you log into lxplus and change to the **private** directory. There you run  
-certificate and the private-key into pkcs12 file: +  openssl req -new -out myrequest.csr # request a new certificate and  store it in myrequest.csr 
-  openssl pkcs12 -export -inkey privatkey.pem -in certificat.cer -out combined.p12+Since you specified no private key the command above generates a private key first.  
 +You get asked for password to secure your private key with.  
 +Choose a good one and do not forget it. 
 +After that you can provide additional information about yourself if you want.  
 +You can just press enter if you want. 
 +When done you have two files in your current directory**privkey.pem** will contain your private key,  
 +**myreqeust.csr** contains the certificate request.
  
-from the pkcs12 file you get can export your keys: +The next step is to get the certificate request signed by the Certificate Authority. 
-  openssl pkcs12 -nokeys -in combined.p12 -out certificat.pem +Select [[https://ca.cern.ch/ca/Certificates/reqtxts.aspx|Request or renew user certificate manually]] on [[https://ca.cert.ch]]
-  openssl pkcs12 -nocerts -in combined.p12 -out privatekey.pem+After you passed the identity check a from with one large text box will be shown to you. 
 +Copy and paste the content of myrequest.csr into the form.
  
-===for the grid=== +After submitting the form you get back a **.cer** file containing your certificate.  
-for gird-usage put files in ~/.globus: +I recommend you safe this under something like ''cert_YYYY-MM-DD.cer''.
-  usercert.pem  (certificat) +
-  userkey.pem   (privat key)+
  
 +=====Preparing for Grid Usage (on lxplus)=====
 +To use your certificate for the grid you need to copy the two files in ~/.globus with the following names:
 +  certificat: usercert.pem
 +  privat key: userkey.pem 
 +It is a good idea to create a symbolic link instead of a copy. 
 +This helps you to know which certificate you actually use. 
 +
 +You can then test your setup by calling
 +  lhcb-proxy-init
 +
 +=====Obtaining  a New Certificate (renewal)=====
 +You can not really renew an old certificate. 
 +Instead you need to acquire a new certificate for your existing key-pair.
 +  openssl req -new -key privkey.pem # request a new certificate using your private key
 +
 +The next step is now again to [[https://ca.cern.ch/ca/Certificates/reqtxts.aspx|copy and paste the certificat request]] into the form of the Authority.
 +Again you get a signed certificate back and store it with a helpful name.
 +Probably you will then want to update your files in ~/.globus, so copy the **.cer** into that directory and replace the symlink for ''usercert.pem''.
  
-===== Useful Links===== 
-[[http://www.madboa.com/geek/openssl/]] 
  
cern/certificates.1317635270.txt.gz · Last modified: 2011/10/03 11:47 by nchiap

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki