![[LRZ logo]](../../pic/lrzlogo.gif)
For Germany, members of the EUGridPMA are the
DFN - German Research Network and the
Karlsruhe Research center(FZK).
The aforementioned organisations operate a so called
Certification Authority (CA), which is commissioned
to generate Certifications adhering to the EUGridPMA specifications.
In order for an electronic certificate to be identified with one person
or resource, it is necessary that the owner or the party responsible for
the resource, respectively, appear personally to one of these CAs along with
an appropriate document to verify his identity.
To simplify this process for the users, the so called
Registration Authorities (RA) were established. Their
function is to undertake this operation on behalf of the CA.
LRZ is authorized to operate a
DFN-PKI related RA,
responsible for LRZ itself and for the three Universities in Münich.
openssl and in its command prompt write version and then quit.
You should open a terminal and type in the following command:
openssl req -config <lrz|lmu|tum|ubw>_openssl.cnf -new -nodes -keyout hostkey.pem > hostcert_request.pem
If you already have a password-less private key you can use
this key using the following command:
openssl req -config <lrz|lmu|tum|ubw>_openssl.cnf -new -key <PrivateKey>.pem > hostcert_request.pem
After the command is executed, you will be asked to answer a few questions:
Country Name (2 letter code) [DE]: [Return] (Uses the default setting) Organization Name (eg, company) [GridGermany]: [Return]Organizational Unit Name (eg, section) [<Name der Institution>]: [Return]Common Name []:
<Name der Ressource (full qualified
hostname)>
hostname -f.)
Email Address []: <Email address of the person
responsible for the resource>
Two files are going to be generated with this process. The file
hostkey.pem contains the private key and the file
hostcert_request.pem, the certificate request that should be
signed by a certificate authority.
After filling in the form you should press the button "Weiter" and another page will come forth presenting the information received for you to verify. If you would like to correct something click on the button "Ändern", otherwise click on "Bestätigen" to continue.
On the following page, click on the button "Zertifikatantrag anzeigen" for a pdf file containing the certificate request which you should present to the CA. You should send an e-mail to grid-ra@lrz.de to arrange an appointment. You should have a valid identification document with you.
A short while after the meeting you will receive an e-mail from
grid-ra@lrz.de containing the
certificate in text form within the message and some information for it.
You should save the certificate information in a file
hostcert.pem where the file hostkey.pem is saved.
openssl x509 -in cert.pem -text,Confirm the receipt of the certificate by an e-mail reply after you have
verified the DFN-CA checksum (SHA1 fingerprint) using
openssl x509 -noout -fingerprint -sha1 -in
cert.pem
You can now use your certificate for authentication within the grid.
For UNICORE or to import in a Web-Browser, you need to generate a so
called keystore from the private certificates. This can be done using
the following command:
openssl pkcs12 -export -in hostcert.pem -inkey hostkey.pem -name
"<Ihr Name>" -out keystore.p12
(Or in case you need to perform the opposite action:
openssl pkcs12 -in keystore.p12 -out output.pem
You should make sure that the certificates reside in the correct place.
For Globus this should be the folder $GLOBUS_CERT_DIR
Some grid resource providers require apart from the certificates the key of the CA. This you can either find from the e-mail you received or by downloading from here:
Root certificate of the DFN-PKI Grid hierarchy (DFN-Verein PCA Grid - G01)