Summer School Certificates

Diego Romano & Gilda Team

• The Grid uses public key or asymmetric encryption for authentication of users, resources and services.

• According to the basics of public-key cryptography, each resources on the GRID has a key pair, a public and a private key.

• The public key is made public while the private key must be kept secret.

Review of the basics

• Encryption and authorization is performed using the public key while decryption and digital signature is performed with the private key.

• It is important to notice that generating a key pair does not automatically provide you access to the Grid resources.

• A trusted authority of the Grid, called the Certificate Authority (CA) needs to sign your key pair, this way confirming your identity.

This signing procedure of the CA is often referred as “issuing a certificate”.

• The userkey.pem file (or resourcekey.pem) contains the private key encrypted with your password (called pass phrase).

• The certificate file (usercert.pem) contains your public key together with additional important informations such as the subject name of the holder of the certificate, the name of the signing CA, and the digital signature of the CA.

• The important role of the CA is to establish a trustful connection between the identity of the user and the public key in the certificate file.

Files

Files (2)

• The digital signature of the CA in the user's certificate file officially declares that the public key in the file belongs to the specific user (subject name).

Request

• In order to obtain a valid passport to the Grid you need to create a key pair and submit your public key to the CA (this process is called as a certificate request) for a signature.

• The CA will follow its certificate policy and upon successful evaluation of your request your public key will be signed and posted back to you.

Your certificate

• Has been already provided and installed by us in the .globus directory

• It is from Gilda testbed, but we configured the other practicals to use it as well

• Please, check if yours is correctly installed

• How to obtain a certificate:

The RA will provide the user with a key to be used in the registration form

The user wants to get a certificate

The users meets the RA (RegistrationAuthority) that will verify the user’s identity

These steps are not needed to get a certificate from the GILDA CA

https://gilda.ct.infn.it/

Dear User,

you can download your GILDA Personal Certificate going,*with the same browser you used to submit the request*,to the URL:

https://gilda.ct.infn.it/cgi-bin/gucert.pl?0A44

Your certificate is valid for $CERTIFICATE_DAYS_VALUE days.After that you can go to:

https://voms.ct.infn.it:8443/voms/gilda/webui/request/user/create

and register to the GILDA VOMS (usually, registration takes a working day).

Then, you can go to the GILDA Grid Demonstrator at the URL:https://grid-demo.ct.infn.it

or, if you are participating to a tutorial or an induction course,to the GILDA Grid Tutor at the URL:

https://grid-tutor.ct.infn.it (for LCG) or https://glite-tutor.ct.infn.it (for gLite)

Remember that:

1) whenever you are prompted for the Operating System, use the usernameand the password you have chosen when you requested the GILDAPersonal Certificate as username and as password;

2) whenever you are prompted for the GRID username and passwordand the passphrase of your GILDA Personal Certificate as password.Best Regards

The GILDA CA Manager

GILDA Certification Authority Tel: +39 095 378 5469 Fax: +39 095 378 5231 Via S. Sofia, 64 I-95123 Catania ITALYhttp://gilda.ct.infn.it/CA/

Just click the link to get the certificate.

From: GILDA-CA <gilda-ca@ct.infn.it>

To: <email address given in the request form>

Subject: GILDA Personal Certificate for <username>

• You will get an e-mail at the e-mail address given in previous web form

• You will be informed that a new certificate is available in your browser certificate list.

• Very important: you HAVE TO use the very same browser in all the previous steps

• It’s suggested now to export the certificate and store it in a safe place.

• The certificate exporting procedure and the extension of the file is browser dependend (*.p12 for Mozilla/Netscape/FireFox and *.pfx for Internet Explorer).

• Exported certificates need to be converted in PEM format (*.pem). This is the certificate format used by the gLite security services.

Dear User,

you can download your GILDA Personal Certificate going, *with the same browser you used to submit the request*, to the URL:

https://gilda.ct.infn.it/cgi-bin/gucert.pl?0A44

Your certificate is valid for 365 days.After that you can go to:

https://voms.ct.infn.it:8443/voms/gilda/webui/request/user/create

and register to the GILDA VO (usually, registration takes a working day).

Then, you can go to the GILDA Grid Demonstrator at the URL:

https://grid-demo.ct.infn.it

or, if you are participating to a tutorial or an induction course, to the GILDA Grid Tutor at the URL:

https://grid-tutor.ct.infn.it or https://grid-tutor1.ct.infn.it

Remember that:

1) whenever you are prompted for the Operating System, use the username and the password you have chosen when you requested the GILDA Personal Certificate as username and as password;

2) whenever you are prompted for the GRID username and passwordand the passphrase of your GILDA Personal Certificate as password.

Best RegardsThe GILDA CA Manager…

• In the same e-mail we showed before you can seen one more link:

Just follow the link to be registered to the GILDA VO

This page will be only accessible if you have imported successfully the received certificate

Confirm your VO registration request following the above link

Finally you will get a confirmation e-mail

Now you are member of the GILDA VO!!!