Search

link to homepage

Institute for Advanced Simulation (IAS)

Navigation and service


Information on Grid Server Certificates

Request Server Certificates (Grid)

To apply for a server certificate, you must first create a so-called Certificate Signing Request (CSR). This is then integrated into the certificate request via the web interface. An application form must be printed out, signed and transmitted to Teilnehmerservice at JSC.

To generate the request, you either use tools that are provided by the respective server software or use openssl. The documentation includes an openssl quick reference. The minimum size of the RSA keys in the grid hierarchy is 1024 bit. However, in order to guarantee a long-term security level, it is strongly recommended to use a minimum key size of 2048 bit.

In any case, information must be provided in this process that forms the unique name of the certificate subject. The certification policy of DFN-PCA specifies that the subject consists of the following - possibly [optional] attributes:

  • C=DE
  • O=GridGermany
  • OU=Forschungszentrum Juelich GmbH
  • [OU=(organizational unit)]
  • CN=(FQDN of the Server)
  • EMail=(email of administrator)

Please note the following:

  • entries are case sensitive
  • the character set to use can be found in the Certificate Practice Statement (Section 3.1.4); in particular umlauts and ß can not be used

Generating the keys and Certificate Signing Request (CSR) for servers with openssl


In the following openssl sequence, the fields for which entries must be made are printed bold. To make sure the other fields are left blank, you must enter a period when using openssl. The entered password (PEM pass phrase) protects your keys and must not be lost.
When creating a server CSR, the fully qualified domain name of the server must be entered for the common name. The following e-mail address must then be the one of the system administrator.

____________________________________________________________________

openssl req -newkey rsa: 2048 -keyout key.pem -out servername_CSR.pem

Generate a private 2048-bit RSA key
.......................... +++
........................................... +++
writing new private key to 'key.pem'
Enter the PEM passage:
Verify - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

-----
Country name (2 letter code) [AU]: DE
Name of the state or province (full name): Nordrhein-Westfalen
Locality name (eg city) []: Juelich
Organization Name (eg company) [Internet Widgets Pty Ltd]: Forschungszentrum Juelich GmbH
Organizational Unit Name (eg section) [] :.
Common name (eg YOUR name) []: server.name.kfa-juelich.de
Email address []: g.mustermann@fz-juelich.de

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [] :.
An optional company name [] :.

____________________________________________________________________



The execution of the openssl command creates two files:

  • key.pem contains the private key, this file is protected by the entered password and must be stored carefully.
  • servername_CSR.pem: This file contains the certificate signing request that must be transmitted to DFN-CERT Services using the web interface. The content of the request can be checked with the command
    openssl req -noout -text -in servername_CSR.pem


The completed certificate will be sent to the administrator by e-mail.


Servicemeu

Homepage