Instructions on generating certificate requests

Instructions

Generating User Certificate Requests

In order to obtain AEGIS certificate, you need to have a valid user account in one ot the User Interface nodes (UI) of AEGIS to generate a certificate request.

You can use any ssh client to log to a User Interface with your username. In case you a re using Windows, you can use any SSH compatible terminal emulator.

Once your login is successfull, you need to issue the following command:

>grid-cert-request

You may use "grid-cert-request -int" option if you want to override the defaults configured for your UI.

Important note: In order to be able to execute this command /opt/globus/bin/ must be in your PATH.

Three files will be generated in .globus directory after this command is executed, theese files are:

userkey.pem : contains the private key associated with the certificate: it must be kept readable only by the user requesting the certificate. Should this file be lost or deleted, you will have to request a new certificate.
usercert-request.pem : contains the request for the user certificate.
usercert.pem : should be replaced by the actual certificate when you will receive it signed by SEE-GRID CA.

Note: Backup these files on a safe location. When generating a re-key request, move these files to another directory to keep them from being overwritten.

Correct format of Certificate Request

The characters allowed for use in certificate request fields (except address) are ‘a’-‘z’, ‘A’-‘Z’, ‘0’-‘9’, ‘ ‘, ‘(‘, ‘)’, ‘+’, ‘,’, ‘-‘, ‘.’, ‘:’, that is, upper and lower case English letters, digits, space, parentheses, plus, comma, minus/hyphen, dot (period), and colon.

Organization Unit (OU) "Level 1 Organization" in grid-cert-request:

The institution name given in the request should be uniquely identifiable official institution name in English, qualified with city or university name, if needed. The resulting institution name should be clearly distinguishable within Serbia. For the members of the University of Belgrade, please use the names from this table , for example “UOB School of Electrical Engineering”.

Common Name (CN), "Name" in grid-cert-request:

For certificates issued to users, users first and last name should be used. You can search our repository (here) to find out if CommonName you wish to use already exists.
For certificates issued to networked entities, typically the (primary) FQDN of the server should be specified.

Note: We recommend that you read gLite 3 Users guide, section 4: Grid security and getting started.

Submiting generated certificate request for the first time

You need to upload or send the certificate request file (usercert-request.pem) via e-mail or web interface to the CA or RA manager using this link http://aegis-ca.rcub.bg.ac.rs/reqest.html. You will then receive an reply e-mail containing further instructions (also explained here). A random, 10 digit number will be generated, and first 5 numbers will be included in this e-mail, which will be used later to verify your e-mail address.

Before your certificate request is processed, you will need to make an appointment for personal appearance in AEGIS CA office to verify your identity. For user certificates, you will need a valid photo ID document or passport, and a valid document or showing your relation to the AEGIS affiliated academic, research, or education organisation or institution with a Grid site supporting AEGIS VO, or direct approval by organisation representative. For host certificates, you will also have to prove that you are the person responsible for the particular host.

When you make a personal appearance, you will be given the second 5 digits, written on paper. You will then send the complete 10 digit number back to AEGIS CA from e-mail you specified during registration. All certificates will be sent to you in this e-mail.

Note: You do not need to make a personal appearance if your identity has already been verified.

Submitting re-key request

You need to upload or send the certificate request file (usercert-request.pem) via e-mail or web interface to the CA or RA manager using this link http://aegis-ca.rcub.bg.ac.rs/reqest.html.

Re-key requests signed with valid certificate from CA acredited bu EUGridPMA will be signed without identity verification, since the user identity has already been authenticated.
The certificate and request used should be for the same person, e-mail and organization.
CA/RA must verify that the person requesting a re-key is stil related to the institution stated in the request.

Importing your certificate into browser / mail client

You must import your new certificate into your web browser and mail client. Find detailed instructions for Internet Explorer / Outlook Express here, or for Firefox / Thunderbird here.

Certificate acceptance

In order to formally complete ertificate issuance procedure, you need to send a digitally signed e-mail (signed with your new certificate) to aegis-ca@aegis-ca.rcub.bg.ac.rs and CC to your RA. For host certificates, the administrator responsible for the host needs to sens an e-mail, signed with his certificate, stating that he accepts the host certificates. You can cut the sample text below and replace the text under "" with your details.

Note: The certificate file name is the Hex value of the certificate serial number.

For user certificates:

----------------------------Cut here---------------------------------
To whom it may concern,

With this email I state that

1. I, "your name", accept my x509v3 digital certificate with
DN: /C=RS/O=AEGIS/OU="your institute"/CN="your name"
Serial Number: "your certificate serial number"
signed by /C=RS/O=AEGIS/CN=AEGIS-CA

2. I adhere the AEGIS CA policy and usage rules found at:
http://aegis-ca.rcub.bg.ac.rs/documents/AEGIS-CP-CPS.pdf
(O.I.D. 1.3.6.1.4.1.11067.10.1.1.2)

----------------------------Cut here---------------------------------

For host certificates:

----------------------------Cut here---------------------------------
To whom it may concern,

With this email I state that

1. I am the person responsible for the network entity "host/FQDN", and I accept the x509v3 digital certificate with
DN: /C=RS/O=AEGIS/OU="your institute"/CN="host/FQDN"
Serial Number: "certificate serial number"
signed by /C=RS/O=AEGIS/CN=AEGIS-CA

2. I adhere the AEGIS CA policy and usage rules found at:
http://aegis-ca.rcub.bg.ac.rs/documents/AEGIS-CP-CPS.pdf
(O.I.D. 1.3.6.1.4.1.11067.10.1.1.2)

----------------------------Cut here---------------------------------

Registering on VOMS server

You must now register on VOMS server in order to join a VO. Find the instructions here.

AEGIS CA contact details:

Dušan Radovanović

University of Belgrade Computer Centre
Kumanovska bb
Belgrade 126119

Tel: +381 11 3031257, +381 11 3031258
Fax: +381 11 3031259
e-Mail: aegis-ca@aegis-ca.rcub.bg.ac.rs