Introduction
The Grid-Ireland Certification Authority provides X.509 certificates for identification and authentication purposes. Its scope is limited to Irish institutions of higher education that are involved in Grid projects. Certificates are needed to authenticate people and machines on the Grid. They should not be used for long-term encryption or signing, or as authorisation credentials.
Grid-Ireland is a member of the European Policy Management Authority for Grid
Authentication in e-Science (EU Grid PMA) and the Grid-Ireland
Certification Authority has been accredited to meet or exceed the Minimum
Requirements set out by this group.
The certificates
Grid-Ireland uses a public key infrastructure (PKI). For each entity there is a private key and a public certificate. There are three classes of entities in Grid-Ireland: the Grid-Ireland CA, numerous hosts, and even more numerous users. Each has their private key and their public certificate. The CA certificate is self-signed; the others are signed by the CA. You can find useful information in the PKI help.
Where is the CA certificate installed?
Grid-Ireland provides grid services based on LCG, which in turn is based on the Globus toolkit. On each node in the Grid, CA certificates are installed in /etc/grid-security/certificates.
This directory contains, amongst other files:
- The Grid-Ireland CA certificate file 1e43b9cc.0.
- The Grid-Ireland certificate revocation list 1e43b9cc.r0.
- The Grid_ireland signing policy file
1e43b9cc.signing_policy
The signing policy for Grid-Ireland contains the following lines:
access_id_CA X509 '/C=IE/O=Grid-Ireland/CN=Grid-Ireland Certification Authority'
pos_rights globus CA:sign
cond_subjects globus '"/C=IE/O=Grid-Ireland/*"'
To be able to authenticate certificates from other EU Grid PMA accredited CAs, it is necessary to install the CA root certificates and associated files from the EU Grid PMA repository.
Where are the host certificates installed?
The host key and certificate files are conventionally located in the /etc/grid-security directory:
/etc/grid-security/hostcert.pem
/etc/grid-security/hostkey.pem
Typically, these files are links to the current key and certificate files, e.g.:
/etc/grid-security-local/2004-12/hostcert.pem
/etc/grid-security-local/2004-12/hostkey.pem
Host certificates are obtained by submitting the certificate request file to the Grid-Ireland CA. On the same browser as you requested your user certificate, go to the CA Public Server. Select Request Server or Service Certificate, then fill in the forms. When the CA has issued the certificate go to the CA Public Server and select Get Requested Certificate and enter the serial no. identified by the CA. Choose to download the server/service certificate to a PEM file. When you have downloaded the certificate file <certfile> it should be placed in the local security base and then secured:
cp <certfile> /etc/grid-security/hostcert.pem
chmod 444 /etc/grid-security/hostcert.pem
Where are the user certificates installed?
Users are currently defined as people either directly employed by or definitively identified by Irish institutions of higher education that are involved in Grid projects. The user key and certificate files are located in the user's filespace at:
$HOME/.globus/userkey.pem
$HOME/.globus/usercert.pem
For detailed instructions on requesting and installing a user certificate see Getting a Grid-Ireland User Certificate.
Revocation
Sometimes user or host certificates need to be invalidated before the natural end of their life. This is called revocation. Sites that accept certificates signed by the Grid-Ireland CA should check its list of revoked certificate list (CRL) regularly. On each Grid-Ireland host, the file is located in the global security base:
/etc/grid-security/certificates/
It is also publicly accessible at 1e43b9cc.r0. Authentication will fail once the revocation list has expired; a new one then needs to be downloaded and installed. The lifetime of the revocation list is one month. The revocation list is updated regularly.
Status of issued certificates
Detailed status information about certificates issued by the Grid-Ireland Certificate Authority can be found on the CA Public Server. If you have any problems please email grid-ireland-ca@cs.tcd.ie.
Policy statement
Grid-Ireland's X.509 CA Certificate Policy and Certification Practise Statement is structured according to RFC2527. As part of its involvement in EGEE, Grid-Ireland has created a CA Acceptance Matrix that shows the levels of acceptance of policies and practices between CAs, and their assessment of associated issues.
Links
- Enabling Grids for E-Science
- European Policy Management Authority for Grid Authentication
- Globus toolkit
Last modified Mon 28 January 2008 . View page history
Switch to HTTPS . Website Help . Print View . Built with GridSite 1.1.21
