DigiCert IGTF Host Certificates¶
Note
This document describes how to get host certificates. For instructions on how to get user certificates, see the User Certificates document.
This document describes how to purchase individual IGTF-accredited host certificates from DigiCert. Before purchasing individual certificates, consider the following alternatives:
- Request a Let's Encrypt certificate
if you don't support any VOs that require IGTF-accredited certificates (e.g.
ATLAS
orCMS
). - Request an InCommon certificate if your institution has an InCommon subscription.
Before Starting¶
Before requesting a new host certificate, use openssl
to check if your host already has a valid certificate, i.e. the
present is between notBefore
and notAfter
dates and times.
If so, you may safely skip this document:
[email protected] $ openssl x509 -in /etc/grid-security/hostcert.pem -subject -issuer -dates -noout
subject= /DC=org/DC=opensciencegrid/O=Open Science Grid/OU=Services/CN=host.opensciencegrid.org
issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon OSG CA 1
notBefore=Jan 4 21:08:09 2010 GMT
notAfter=Jan 4 21:08:09 2011 GMT
If you do not have a valid certificate, the OSG offers a command-line tool to generate certificate signing requests (CSR) to assist in acquiring a grid host certificate. As with all OSG software installations, there are some one-time (per host) steps to prepare in advance:
- Ensure the host has a supported operating system
- Obtain root access to the host
- Prepare the required Yum repositories
Create a DigiCert Account¶
Before requesting a certificate, you must create a DigiCert account with permission to request grid certificates:
-
Navigate to the DigiCert sign up page and create an account
Attention
It is very important to use your institution's main address and other contact information. Departmental addresses will not pass DigiCert's verification process.
-
Submit a support request to allow you to order grid host certificates, referencing support ticket
#01336672
-
After your request has been approved, verify that the
Grid Host SSL
option is available to you from your account's order page:
Requesting DigiCert IGTF Host Certificates¶
-
Install the
osg-pki-tools
:[email protected] # yum install osg-pki-tools
-
Generate a CSR and private key using the
osg-cert-request
tool:[email protected] $ osg-cert-request --hostname <HOSTNAME> \ --country <COUNTRY> \ --state <STATE> \ --locality <LOCALITY> \ --organization <ORGANIZATION>
You may also add DNS Subject Alternative Names (SAN) to the request by specifying any number of
--altname <SAN>
. For example, the following generates a CSR fortest.opensciencegrid.org
withfoo.opensciencegrid.org
andbar.opensciencegrid.org
as SANs:[email protected] $ osg-cert-request --hostname test.opensciencegrid.org \ --country US \ --state Wisconsin \ --locality Madison \ --organization 'University of Wisconsin-Madison' \ --altname foo.opensciencegrid.org \ --altname bar.opensciencegrid.org
If successful, the CSR will be named
<HOSTNAME>.req
and the private key will be named<HOSTNAME>-key.pem
. Additional options and descriptions can be found here. -
Submit an order using DigiCert's grid certificate order page:
-
Login to your DigiCert account
-
Attach the CSR that you generated above
-
Pay for your certificate and await approval
-
-
After the certificate has been issued by DigiCert, download the host certificate only (not the full chain) to its intended host and copy over the key you generated above.
-
Verify that the issuer
CN
field isDigiCert Grid Trust CA G2
:$ openssl x509 -in <PATH TO CERTIFICATE> -noout -issuer issuer= /C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA G2
Where
<PATH TO CERTIFICATE>
is the file you downloaded in the previous step -
Install the host certificate and key:
[email protected] # cp <PATH TO CERTIFICATE> /etc/grid-security/hostcert.pem [email protected] # chmod 444 /etc/grid-security/hostcert.pem [email protected] # cp <PATH TO KEY> /etc/grid-security/hostkey.pem [email protected] # chmod 400 /etc/grid-security/hostkey.pem
Where
<PATH TO KEY>
is the ".key" file you created in the first step