Get a Host Certificate from the NCSA CA

From MyWiki

Jump to: navigation, search

This pages assumes you want to get a host certificate for a host that does not have permissions to run the ncsa-cert-request script. The perl script can also be found at: /afs/ncsa/packages/NCSA-CA/bin/ncsa-cert-request .

To get a host certificate from the NCSA CA for Globus or Apache-SSL:

  • First, two caveats:
  1. You will need your NCSA Default Password, which was the original password given to you when you started working at NCSA.
  2. You need to be the Administrator of the DNS entry for the hostname. This is done when you create the DNS entry or you can use the DNSWorks change link to modify an existing hostname for which you are not administrator.
  • Log onto a NCSA public system, e.g. public-linux.ncsa.uiuc.edu
  • On the NCSA public system, create a directory to hold the host certificate and key temporarily. Don't use AFS for this, as AFS file go over the network un-encrypted. 
% mkdir /tmp/host-cert
% chmod 700 /tmphost-cert
  • Request the host cerificate: 
% /usr/local/NCSA-CA/bin/ncsa-cert-request -host computer-new.ncsa.uiuc.edu -dir /tmp/host-cert
  • Copy the result to the target host: 
% cd /tmp/
% tar cf - host-cert | ssh computer-new.ncsa.uiuc.edu "tar xvf - "
  • Remove the temporary copy 
% rm -rf /tmp/host-cert
  • On the target host, move the resulting hostcert.pem and hostkey.pem to /etc/grid-security and make sure they have the right permissions: 
# chown root:root /etc/grid-security/hostcert.pem
# chmod 644 /etc/grid-security/hostcert.pem
# chown root:root /etc/grid-security/hostkey.pem
# chmod 600 /etc/grid-security/hostkey.pem
  • The cert and private key can also be used for Apache-SSL: 
%ls -l /etc/httpd/conf:
-rw-r----- 1 root root   4977 2007-03-13 08:53 hostcert.pem
-rw------- 1 root root   1675 2007-03-13 08:53 hostkey.pem

Updating an Expired or About to Expire Certificate

  • If the certificate has already expired, just create a new host certificate as detailed above.
  • If the certificate is about to expire, hurry the process along and revoke it: 
ncsa-cert-request -hostrevoke computer-with-expiring-cert.ncsa.uiuc.edu

Then follow the above procedure to create a new host certificate.

Retrieved from "http://mywiki.ncsa.uiuc.edu/wiki/Get_a_Host_Certificate_from_the_NCSA_CA"
Personal tools