Differences

This shows you the differences between two versions of the page.

--- cern:certificates [2011/10/03 14:02] – [Getting Started] fixed typo nchiap
+++ cern:certificates [2014/07/22 21:10] (current) – [New Certificate Authority] nchiap
@@ Line 2: / Line 2: @@
 (not everything has been tested)
 =====A Basic Introduction to Public-Key-Cryptography=====
-All this business with certificates uses public-key cryptography. The basic idea is, that everyone has a key-pair consisting of **a private and a public key**. As the name suggests the private key is kept private, the public one is made public. Messages encrypted with one of the keys can only be decrypted with the other. We will now look at the three most common ways to use this fact.
+All this business with certificates uses public-key cryptography. The basic idea is, that everyone has a key-pair consisting of **a private and a public key**. As the name suggests the private key is kept private, the public one is made public. Messages encrypted with one of the keys can only be decrypted with the other. We will now look at the most common ways to use this fact.
 ==== Private Messages ====
@@ Line 17: / Line 17: @@
 ==== Certificates ====
-A possible solution for this are certificates. A is a document that contains your public key and other information about you. It has to be signed by a Certificate Authority (CA). With it's signature the Certificate Authority confirms that they checked your identity and the information in the certificate is valid.
+A possible solution for this are certificates. A certificate is a document that contains your public key (and maybe other information about you). It has to be signed by a Certificate Authority (CA). With it's signature the Certificate Authority confirms that they checked your identity and that the information in the certificate is valid.
-Obviously the certificate is useless without the private key belonging to it or once the private key got compromised. So make sure to protect your private key properly, nobody else should be able to get the file with it.
+Obviously the certificate is useless without the private key belonging to it or once the private key got compromised. So make sure to protect your private key properly, nobody else should be able to get the file with it and you should not loose it.
 =====
@@ Line 28: / Line 28: @@
 CERN has its own Certificate Authority. You find its website under [[https://ca.cern.ch]].
+===== Obtaining a key-pair and certificate from CERN =====
+==== New Certificate Authority ====
+  - Request a [[https://gridca.cern.ch/gridca/user/Request.aspx | new user Certificate.]] (use Firefox, this may not work other browsers)
+  - Follow [[https://gridca.cern.ch/gridca/Help/?kbid=024010 | How to use your certificate with grid-proxy-init.]]
+=====other useful things =====
+====print public key====
+from your private key you can generate the corresponding public key
+  openssl rsa -in privkey.pem -pubout
+====print certificate details====
+you can print all the information stored in your certificate
+  openssl x509 -text -noout -in certificate.pem
+==== create a pkcs12 file (used by web-browsers) ====
+(tested with Firefox and Opera)
+To use the certificate for authentication on websites you need to combine the certificate and the private-key into a pkcs12 file
+  openssl pkcs12 -export -inkey privkey.pem -in certificate.cer -out combined.p12
+You can then import this file into the certificate configuration of your browser
+(Firefox: edit > preferences > advanced > view certificates)
+==== export from a pkcs12 file====
+export the certificate
+  openssl pkcs12 -clcerts -nokeys -in combined.p12 -out certificat.pem
+export the private key
+  openssl pkcs12 -nocerts -in combined.p12 -out privkey.pem
+if you work on a SLC machine, you can also use a special script for this:
+  cert-convert.sh combined.p12
+===== Useful Links=====
+  * [[http://www.madboa.com/geek/openssl/]]
+  * [[http://ca.cern.ch/]]
+  * [[https://twiki.cern.ch/twiki/bin/view/LHCb/FAQ/Certificate]]
+  * [[https://lcg-voms.cern.ch:8443/vo/lhcb/vomrs]]
+====== Outdated ======
+The explanation below is outdated.
+CERN does not sign certificate requests for existing keys any longer.
+You will have to generate a new pair with a private-key and certificate every year.
 =====Getting Started (generate a first key pair and certificate) =====
@@ Line 66: / Line 110: @@
 The next step is now again to [[https://ca.cern.ch/ca/Certificates/reqtxts.aspx|copy and paste the certificat request]] into the form of the Authority.
 Again you get a signed certificate back and store it with a helpful name.
-Probably you will then want to update your files in ~/.globus.
+Probably you will then want to update your files in ~/.globus, so copy the **.cer** into that directory and replace the symlink for ''usercert.pem''.
-=====other useful things =====
-====print public key====
-from your private key you can generate the corresponding public key
-  openssl rsa -in privkey.pem -pubout
-====print certificate details====
-you can print all the information stored in your certificate
-  openssl x509 -text -noout -in certificate.pem
-==== create a pkcs12 file (used by web-browsers) ====
-(tested with Firefox and Opera)
-To use the certificate for authentication on websites you need to combine the certificate and the private-key into a pkcs12 file
-  openssl pkcs12 -export -inkey privkey.pem -in certificate.cer -out combined.p12
-You can then import this file into the certificate configuration of your browser
-(Firefox: edit > preferences > advanced > view certificates)
-==== export from a pkcs12 file====
-export the certificate
-  openssl pkcs12 -nokeys -in combined.p12 -out certificat.pem
-export the private key
-  openssl pkcs12 -nocerts -in combined.p12 -out privkey.pem
-===== Useful Links=====
-  * [[http://www.madboa.com/geek/openssl/]]
-  * [[http://ca.cern.ch/]]

Physik-Institut

LHCb Wiki Pages

Differences

Physik-Institut

LHCb Wiki Pages

User Tools

Site Tools

Differences

Page Tools