Aquiring a Service Certificate ( for Developers )

• 1. Be sure you have a DOEgrids-issued User certificate and that User certificate is loaded into your browser. See here if you need help with this.

• 3. Log into gridui01.usatlas.bnl.gov. Run doegrids-cert-request providing -host <full-hostname> -service <servicename> arguments. This will generate a <service>cert_request.pem file. Note that this process also generates a <servicename>key.pem file. Keep this (i.e.copy it, usually renamed to hostkey.pem) as you will need it later on your service host. Keep this file non-world-readable as it is the key.

• 4. Copy the ----BEGIN CERTIFICATE REQUEST'---- section of the file into the browser window at https://pki1.doegrids.org/ under the 'Grid or SSL Server' section under the 'Enrollment' tab.

• 5. Fill out the rest of the information. The only difference between this and a host cert request is that in addition to specifying the hostname, the service name should be prepended e.g. CN=service1/host.at.bnl.gov . Note that it remains up to the programmer to verify the service name and hostname within their application ( in addition to noting that it is a valid cert).

• 6. Retrieve the issued certificate after recieving e-mail notification from doegrids.org. Follow the link in the notification. The section you want is 'Base 64 encoded certificate'. Cut and paste this section, including ------BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a file hostcert.pem.

• 7. Place the hostcert.pem and hostkey.pem within your application. Be sure that permissions are set so that the hostkey.pem file is only readable by your service account.