| Certificates
to identify hosts or services will only be issued to holders of
valid DOE Grids Person Certificates. You will find information about
obtaining a Person Certificate here.
The DOE Grids certificate service requires Service Certificate
requests to be entered in #PKCS10 format. This is easily done
with the openssl command as shown
in the example below -
openssl req -new -nodes -keyout hostkey.pem -out hostreq.pem \
-subj '/DC=org/DC=doegrids/OU=Services/CN=host\/testhost.mydomain.xy'
The command shown above will create private-key and certificate
request files. Note that the slash '/' before the FQDN is escaped
using a back-slash. You must substitute the FQDN of the host or
service for which you require the certificate, and you MUST ensure
that the private-key file remains secure and is only readable
by you or other authorized administrators of the service.
Service certificates for use with globus-based grid software
such as LCG must contain the machine name in the format ".../CN=host\/testhost.mydomain.xy"
as shown above. Other services such as Web servers do NOT require
the "host/" prefix to the FQDN. e.g. ".../CN=myweb.mydomain.xy"
You can verify the output request using a command of the form
-
openssl req -text -in hostreq.pem
The #PKCS10 format request can be cut and pasted from the request
file by including all the text between and INCLUDING the BEGIN
and END request markers as shown below.
-----BEGIN CERTIFICATE REQUEST-----
.......
-----END CERTIFICATE REQUEST-----
|
