Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • dvo0012-dice-patch
  • qfree-update
  • vnode-allocation
  • revert-d95b46c5
  • dvo0012-dice
  • 20180621-revision
  • 20180621-before_revision
8 results
Blame Permalink
Forked from SCS / docs.it4i.cz
1533 commits behind, 927 commits ahead of the upstream repository.
certificates-faq.md 11.97 KiB

Certificates FAQ

FAQ about certificates in general

Q: What are certificates?

IT4Innovations employs X.509 certificates for secure communication (e. g. credentials exchange) and for grid services related to PRACE, as they present a single method of authentication for all PRACE services, where only one password is required.

There are different kinds of certificates, each with a different scope of use. We mention here:

  • User (Private) certificates
  • Certificate Authority (CA) certificates
  • Host certificates
  • Service certificates

However, users need only manage User and CA certificates. Note that your user certificate is protected by an associated private key, and this private key must never be disclosed.

Q: Which X.509 certificates are recognised by IT4Innovations?

The Certificates for Digital Signatures.

Q: How do I get a User Certificate that can be used with IT4Innovations?

To get a certificate, you must make a request to your local, IGTF approved, Certificate Authority (CA). Usually you then must visit, in person, your nearest Registration Authority (RA) to verify your affiliation and identity (photo identification is required). Usually, you will then be emailed details on how to retrieve your certificate, although procedures can vary between CAs. If you are in Europe, you can locate your trusted CA.

In some countries certificates can also be retrieved using the TERENA Certificate Service, see the FAQ below for the link.

Q: Does IT4Innovations support short lived certificates (SLCS)?

Yes, provided that the CA which provides this service is also a member of IGTF.

Q: Does IT4Innovations support the TERENA certificate service?

Yes, ITInnovations supports TERENA eScience personal certificates. For more information, please visit TCS - Trusted Certificate Service, where you also can find if your organisation/country can use this service

Q: What format should my certificate take?

User Certificates come in many formats, the three most common being the ’PKCS12’, ’PEM’ and the JKS formats.

The PKCS12 (often abbreviated to ’p12’) format stores your user certificate, along with your associated private key, in a single file. This form of your certificate is typically employed by web browsers, mail clients, and grid services like UNICORE, DART, gsissh-term and Globus toolkit (GSI-SSH, GridFTP and GRAM5).

The PEM format (*.pem) stores your user certificate and your associated private key in two separate files. This form of your certificate can be used by PRACE’s gsissh-term and with the grid related services like Globus toolkit (GSI-SSH, GridFTP and GRAM5).

To convert your Certificate from PEM to p12 formats, and vice versa, IT4Innovations recommends using the openssl tool (see separate FAQ entry).

JKS is the Java KeyStore and may contain both your personal certificate with your private key and a list of your trusted CA certificates. This form of your certificate can be used by grid services like DART and UNICORE6.

To convert your Certificate from p12 to JKS, IT4Innovations recommends using the keytool utiliy (see separate FAQ entry).

Q: What are CA certificates?

Certification Authority (CA) certificates are used to verify the link between your user certificate and the authority which issued it. They are also used to verify the link between the host certificate of a IT4Innovations server and the CA which issued that certificate. In essence they establish a chain of trust between you and the target server. Thus, for some grid services, users must have a copy of all the CA certificates.

To assist users, SURFsara (a member of PRACE) provides a complete and up-to-date bundle of all the CA certificates that any PRACE user (or IT4Innovations grid services user) will require. Bundle of certificates, in either p12, PEM or JKS formats, are available here.

It is worth noting that gsissh-term and DART automatically updates their CA certificates from this SURFsara website. In other cases, if you receive a warning that a server’s certificate can not be validated (not trusted), then please update your CA certificates via the SURFsara website. If this fails, then please contact the IT4Innovations helpdesk.

Lastly, if you need the CA certificates for a personal Globus 5 installation, then you can install the CA certificates from a MyProxy server with the following command.

    myproxy-get-trustroots -s myproxy-prace.lrz.de

If you run this command as ’root’, then it will install the certificates into /etc/grid-security/certificates. If you run this not as ’root’, then the certificates will be installed into $HOME/.globus/certificates. For Globus, you can download the globuscerts.tar.gz packet available here.

Q: What is a DN and how do I find mine?

DN stands for Distinguished Name and is part of your user certificate. IT4Innovations needs to know your DN to enable your account to use the grid services. You may use openssl (see below) to determine your DN or, if your browser contains your user certificate, you can extract your DN from your browser.

For Internet Explorer users, the DN is referred to as the "subject" of your certificate. ToolsInternet OptionsContentCertificatesViewDetailsSubject.

For users running Firefox under Windows, the DN is referred to as the "subject" of your certificate. ToolsOptionsAdvancedEncryptionView Certificates. Highlight your name and then Click ViewDetailsSubject.

Q: How do I use the openssl tool?

The following examples are for Unix/Linux operating systems only.

To convert from PEM to p12, enter the following command:

    openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out
    username.p12

To convert from p12 to PEM, type the following four commands:

    openssl pkcs12 -in username.p12 -out usercert.pem -clcerts -nokeys
    openssl pkcs12 -in username.p12 -out userkey.pem -nocerts
    chmod 444 usercert.pem
    chmod 400 userkey.pem

To check your Distinguished Name (DN), enter the following command:

    openssl x509 -in usercert.pem -noout -subject -nameopt
    RFC2253

To check your certificate (e.g., DN, validity, issuer, public key algorithm, etc.), enter the following command:

    openssl x509 -in usercert.pem -text -noout

To download openssl if not pre-installed, please visit. On Macintosh Mac OS X computers openssl is already pre-installed and can be used immediately.

Q: How do I create and then manage a keystore?

IT4innovations recommends the java based keytool utility to create and manage keystores, which themselves are stores of keys and certificates. For example if you want to convert your pkcs12 formatted key pair into a java keystore you can use the following command.

    keytool -importkeystore -srckeystore $my_p12_cert -destkeystore
    $my_keystore -srcstoretype pkcs12 -deststoretype jks -alias
    $my_nickname -destalias $my_nickname

where $my_p12_cert is the name of your p12 (pkcs12) certificate, $my_keystore is the name that you give to your new java keystore and $my_nickname is the alias name that the p12 certificate was given and is used also for the new keystore.

You also can import CA certificates into your java keystore with the tool, e.g.: