[THEGrid] Certificates: Updating your DOEGrids X.509 user certificate by replacing it

Alan Sill Alan.Sill at ttu.edu
Thu Jan 4 09:18:13 CST 2007 

If your DOEGrids X.509 certificate is about to expire (or maybe even  
if it has already expired, I haven't checked this part), you can  
renew it as follows:

1) Open a browser into which you have previously loaded your existing  
certificate.  Firefox or a Mozilla-based browser would be preferred;  
if you haven't loaded your existing certificate yet, look in the  
preferences under "Advanced" for a button or tab like "manage  
certificates" and load it.  (Let me know if you need help with this;  
if you use the same browser instance that you had used originally to  
get the existing certificate, it shoudl already be there.)

2) Navigate to the location

https://pki1.doegrids.org/CertBasedSingleEnroll.html

This page is set up to let you get a new certificate based on your  
old one with minimal hassle by transferring the information over from  
your old one.

3) Select the 1024-bit (medium strength) key length and click on the  
Submit button at the bottom of the page.

This should allow you to load your new certificate into the browser.   
You can then export it using the Preferences features mentioned above  
to a file on your disk in PKCS12 format (a file with a .p12  
extension) and manage it as described in the page

http://www.doegrids.org/pages/cert-request.html

A short description of how to do this on OS X-based (Mac) systems is  
attached below.  Most of the openssl steps will work fine on Linux  
systems also.  For Windows, if that's what you are using, see the  
link above.

Note this replacement step is much less hassle in terms of approval  
than requesting a new certificate from scratch, so it is worth going  
through the above.  I'd like to hear from someone who tries it with  
an expired certificate to see if it will work that way also.

For TIGRE people, we don't have systems like this yet for the new  
TACC accredited CA service as far as I know, but Marg has posted  
information on requesting and using certificates on the TIGRE portal  
web site:

http://tigreportal.hipcat.net

specifically,

http://tigreportal.hipcat.net/gridsphere/gridsphere?cid=authenticating

Look for updates to this procedure as the systems evolve...

Alan

Alan Sill, Ph.D
TIGRE Senior Scientist
High Performance Computing Center
TTU

====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================

Commands to get and import DOEGrids certificates in Mac OS X: (most  
openssl commands will work in Linux also, although the location of  
the X.509 anchor files is different)

To get the DOEGrids and ESNet root certs into your keychain as  
recognized issuers, first back up your X509Anchors file:

sudo cp /System/Library/Keychains/X509Anchors /System/Library/ 
Keychains/X509Anchors.orig

Next, download the DOEGrids and ESNet base certs, for example by:

curl -fLO http://www.es.net/CA/d1b603c3/d1b603c3.0
curl -fLO http://www.doegrids.org/CA/1c3f2ca8/1c3f2ca8.0

Next insert these into your X509Anchors:

On Mac OS X 10.3.x (Panther) ONLY:

sudo certtool -i ~/Desktop/d1b603c3.0 -v -k=/System/Library/Keychains/ 
X509Anchors
sudo certtool -i ~/Desktop/1c3f2ca8.0 -v -k=/System/Library/Keychains/ 
X509Anchors

On Mac OS X 10.4.x (Tiger):

sudo security import d1b603c3.0 -k /System/Library/Keychains/X509Anchors
sudo security import 1c3f2ca8.0 -k /System/Library/Keychains/X509Anchors

This takes care of having the base certs recognized.  Now, for your  
personal cert:

The easiest way to handle personal certificates, both getting them  
and exporting them is to use Firefox or a Mozilla-like browser.  So  
far the DOEGrids folks do not want to learn how to work with the  
Keychain.  It is possible, however; see below.

To import your personal cert into the keychain, you need a PKCS#12  
file, preferably named as something ending with .p12 for clarity.   
Most of the time if you got a DOEGrids cert you have followed the  
instructions on the page http://www.doegrids.org/pages/cert- 
request.html and so the certificate will be loaded into the browser  
that you used (probably Firefox or Mozilla, as the DOEGrids request  
stuff doesn't work well with Safari).  You can then just use the  
options under "Preferences" in the "Advanced" tab to view, manage and  
export the certificates, e.g. export the one you want in PKCS#12  
( file extension .p12) format.

Once you have your personal cert in .p12 format, just double-click it  
to import it into the Keychain.

You can also use the following commands to extract the user cert and  
user key from the .p12 file into the areas expected by globus on  
either Mac OS X or Linux.  Here the name of the file is MyCert.p12;  
replace this by the actual name of the file you exported.  These  
files can be moved between systems, but please pay close attention to  
the protections.

Certificate:
openssl pkcs12 -in MyCert.p12 -clcerts -nokeys -out ~/.globus/ 
usercert.pem

Private key :
openssl pkcs12 -in MyCert.p12 -nocerts -out ~/.globus/userkey.pem

The usercert.pem file in your .globus area should be world-readable  
but writeable only by you (protections -rw-r--r-- or 644).  The  
userkey.pem file MUST always be kept only readable and writeable by  
you ONLY (protections -rw------- or 600).  Check this and if  
necessary set them to the right values on any system to which you  
move them:

chmod 644 ~/.globus/usercert.pem
chmod 600 ~/.globus/userkey.pem

Alternatively, in the reverse direction, if you don't have a .p12  
file but already do have a valid usercert.pem and userkey.pem set of  
files, for example, you can turn them back into a .p12 file as follows:

openssl pkcs12 -export -inkey ~/.globus/userkey.pem -in ~/.globus/ 
usercert.pem -out MyCert.p12 -name "MyCert"

Create a passphrase for it for use in importing to browsers.  Then,  
to get it into your keychain, open Keychain Access and use the Import  
option, or simply double-click on the .p12 file you just created.   
Give the import passphrase you just assigned, and all should be  
well.  Upon next launch of Mail, Safari, etc, the above certs should  
be usable and recognized.

--- More on importing to and exporting from the Keychain ---

As mentioned above, you can import any of your personal certs into  
the Keychain app in OS X just by double-clicking on the .p12 file.

You can also export your key from the Keychain if you need it for  
another application (for example, to use as the userkey.pem in  
applications like grids, as above).  To get private keys out of  
Keychain Access in Tiger (doesn't work in Panther), open Keychain  
Access, navigate to the entry containing your private key, and either  
use the Export option or simply option-click and drag it to the desktop.

More information about the THEGrid mailing list