r10 - 30 May 2013 - 12:31:55 - JohnHoverYou are here: TWiki >  Admins Web > DigiCerts

DigiCerts

DOEGrids CA retirement is March 23, 2013

The DOEGrids CA will cease issuing certificates on March 23, 2013. After this date, it will not be possible to request a personal, host or service certificate from DOEGrids. All currently issued certificates will remain valid until their expiration date.

The Open Science Grid has a transition plan in place at OSG CA Transition. OSG operates a public key infrastructure (PKI) as part of its identity management services with CA services from DigiCert.

A full set of OSG PKI documentation can be found at https://www.opensciencegrid.org/bin/view/Security/PKIDocumentationIndex

The FAQs are at https://www.opensciencegrid.org/bin/view/Security/OSGPKIFrequentlyAskedQuestions

The OIM page now has a "Certificate" tab where one can request a personal certificate as well as host and service certificates. It is also possible to register as a "Grid Admin" for host and service certificates making it much easier to request and approve host/service certificates.

The following are the steps need to switch from DOEGrids to DigiCert (via OSG PKI)

Request a Personal Certificate

You request a personal certificate via OIM at https://oim.grid.iu.edu/oim/certificate.

Click on the "Request new" under "User Certificates". You need to choose the VO "Atlas". At some point the request will be granted. Unfortunately this may take several weeks. Eventually you will receive an email giving instructions how to retrieve your personal certificate.

The key points are that you can only retrieve your new certificate from the same web browser from which the request was made. Should the browser information become lost, the passwords is forgotten, etc, you will be forced to ask for a "renewal" which can again take several weeks.

Once you have the PK12 file saved to disk, you can then import the certificate into your browser, mailer and move over to the linux system were it can be converted into PEM files. However, be warned. At this point this certificate is NOT authorized to access any Atlas resources.

Request to become a GridAdmin (GA) for your site

If you are a GA for your sites domains, you can very quickly create host and service certificates.

Documentation can be found at https://twiki.grid.iu.edu/bin/view/Operations/OSGPKITrustedAgent

To request that your DN be enabled as a GA, visit the OIM site at https://oim.grid.iu.edu/oim/gridadmin

Note: When you ask to become a GA, you may need to also send a note to John Hover, presumably the ATLAS RA, so that he will approve the request.  This happened to my request, but the GOC ticket that was tracking the request never informed me that the request needed to be approved by anyone in ATLAS (Patrick McGuigan, Feb. 2013)

Once you have installed the command line client package https://twiki.grid.iu.edu/bin/view/Operations/OSGPKICommandlineClients you can then request host certficates via the command

osg-gridadmin-cert-request --hostname=<myhostname>

This will create a host certificate in less than 30 seconds

Add the new certificate to your ATLAS VOMS registration.

  1. Check to see what your new DN is from Digicert.
  2. Visit the page https://lcg-voms.cern.ch:8443/vo/atlas/vomrs being sure to select your current, valid DOEGrids certificate to connect.
  3. Go to Members | Certificates | "Add certificate".
  4. Enter your new DN string in the correct form, e.g. /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=John Hover 241
  5. And select the correct CA from the drop-down list: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1

Add the new certificate to your site GUMS administrator group

  1. Go to your GUMS web interface.
  2. Go to "Manual User Group Members"
  3. Click "Add" at bottom.
  4. Select "admins" user group from dropdown (or whatever you have named your GUMS administrators group).
  5. Copy in our DN, e.g /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=John Hover 241. You can leave FQAN and email blank.
  6. Click "Save" at bottom.
  7. Check to be sure you see "User has been saved" message.

Add the new certificate to Panda DDM (DaTRI? )

Other items tied to DNs

  • FTS Channel permissions
  • LFC dump requests and cleanup

More Information

For additional detail and instructions, please see The RACF page on OSG certificates.

About This Site

Please note that this site is a content mirror of the BNL US ATLAS TWiki. To edit the content of this page, click the Edit this page button at the top of the page and log in with your US ATLAS computing account name and password.


Attachments

 
Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback