DigiCert IGTF Host Certificates¶
This document describes how to get host certificates. For instructions on how to get user certificates, see the User Certificates document.
This document describes how to purchase individual IGTF-accredited host certificates from DigiCert. Before purchasing individual certificates, consider the following alternatives:
- Request a Let's Encrypt certificate
if you don't support any VOs that require IGTF-accredited certificates (e.g.
- Request an InCommon certificate if your institution has an InCommon subscription.
Before requesting a new host certificate, use
openssl to check if your host already has a valid certificate, i.e. the
present is between
notAfter dates and times.
If so, you may safely skip this document:
[email protected] $ openssl x509 -in /etc/grid-security/hostcert.pem -subject -issuer -dates -noout subject= /DC=org/DC=opensciencegrid/O=Open Science Grid/OU=Services/CN=host.opensciencegrid.org issuer=/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon OSG CA 1 notBefore=Jan 4 21:08:09 2010 GMT notAfter=Jan 4 21:08:09 2011 GMT
If you do not have a valid certificate, the OSG offers a command-line tool to generate certificate signing requests (CSR) to assist in acquiring a grid host certificate. As with all OSG software installations, there are some one-time (per host) steps to prepare in advance:
- Ensure the host has a supported operating system
- Obtain root access to the host
- Prepare the required Yum repositories
Create a DigiCert Account¶
Before requesting a certificate, you must create a DigiCert account with permission to request grid certificates:
Navigate to the DigiCert sign up page and create an account
It is very important to use your institution's main address and other contact information. Departmental addresses will not pass DigiCert's verification process.
Submit a support request to allow you to order grid host certificates, referencing support ticket
After your request has been approved, verify that the
Grid Host SSLoption is available to you from your account's order page:
Requesting DigiCert IGTF Host Certificates¶
[email protected] # yum install osg-pki-tools
Generate a CSR and private key using the
[email protected] $ osg-cert-request --hostname <HOSTNAME> \ --country <COUNTRY> \ --state <STATE> \ --locality <LOCALITY> \ --organization <ORGANIZATION>
You may also add DNS Subject Alternative Names (SAN) to the request by specifying any number of
--altname <SAN>. For example, the following generates a CSR for
[email protected] $ osg-cert-request --hostname test.opensciencegrid.org \ --country US \ --state Wisconsin \ --locality Madison \ --organization 'University of Wisconsin-Madison' \ --altname foo.opensciencegrid.org \ --altname bar.opensciencegrid.org
If successful, the CSR will be named
<HOSTNAME>.reqand the private key will be named
<HOSTNAME>-key.pem. Additional options and descriptions can be found here.
Submit an order using DigiCert's grid certificate order page:
Login to your DigiCert account
Attach the CSR that you generated above
Pay for your certificate and await approval
After the certificate has been issued by DigiCert, download the host certificate only (not the full chain) to its intended host and copy over the key you generated above.
Verify that the issuer
DigiCert Grid Trust CA G2:
$ openssl x509 -in <PATH TO CERTIFICATE> -noout -issuer issuer= /C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA G2
<PATH TO CERTIFICATE>is the file you downloaded in the previous step
Install the host certificate and key:
[email protected] # cp <PATH TO CERTIFICATE> /etc/grid-security/hostcert.pem [email protected] # chmod 444 /etc/grid-security/hostcert.pem [email protected] # cp <PATH TO KEY> /etc/grid-security/hostkey.pem [email protected] # chmod 400 /etc/grid-security/hostkey.pem
<PATH TO KEY>is the ".key" file you created in the first step