• Belarusian Grid CA
• Root Certificates and CRL
• CP/CPS
• User Documents
• RA operators
• RA Documents

IMPORTANT: Users from Belarus, please go to page Руководство абонента for Belarus-specific instructions.

The information help You to get access to Belarusian Grid resources. Belarusian Grid certificates do not automatically grant access to any computing resources. Your permission on remote system is granted by the system owners. Certificates allow to identify remote users and hosts.

Page content

• Why do I need a certificate?
• Requesting a User Certificate
• Requesting a Host (Server) Certificate
• Renewing User/Host Certificate
• Hints
• More questions

Why do I need a certificate?

If You are not familiar with the certificates, please see X.509 and SSL descriptions. 

Requesting a User Certificate

1. You need a user account in a secure Linux or *NIX machine with OpenSSL. Login to the machine.
   
2. Make sure you do not have .globus directory. If you alredy have the .globus directory, then move all its contents to a different subdirectory before you start generating new certificate request.
   
   If you do not have .globus directory, make a new directory for the certificate:

   mkdir ~/.globus

Go to the directory:

cd ~/.globus

3. Download OpenSSL configuration for BalticGrid user certificate requests:

   wget http://ca.grid.by/misc/BelarusianGridCA-user.cnf

4. Generate your certificate request.

   openssl req -new -config BelarusianGridCA-user.cnf -out usercert_request.pem -sha1

   * Choose a strong password;
   * Do not change both "Domain Component" variables - just press <ENTER>;
   * Enter your institution domain (for example bntu.by) OR domain with subdomain if one exists (for example uiip.bas-net.by);
   * Enter your legal name in English alphabet as presented in a passport of a citizen of the Republic of Belarus.
   * You should get two files: usercert_request.pem (CSR - Certificate Signing Request) and userkey.pem (secret key).
   
5. Check Subject of certificate request:
   

   openssl req -in usercert_request.pem -noout -text

   Subject of certificate request should look like this (replace domain.by and Name Surname):
   
   Subject: DC=by, DC=grid, O=domain.by, CN=Name Surname
   
   IMPORTANT: keep userkey.pem secret.

   chmod 400 userkey.pem

   If You suspect Your key has been compromised, please contact CA or RA.
   
6. Contact with a Belarusian Grid Registration Authority (RA). Send the following information to RA via e-mail:
   • Your full name (ID-document)
   • Certificate request file (usercert_request.pem)
   • Occupation at Your institution
   • Phone (work)
   • Phone (mobile)
   • Fax
   If everything is correct, arrange a face-to-face meeting with RA. Following documents are required:
   • ID proof (passport)
   • photocopy of ID proof
   • proof of affiliation with institution
   • photocopy of affiliation proof
   • printed copy of usercert_request.out
7. Registration Authority will check your ID and send your request to the Belarusian Grid CA.
   
   Approximately in 3 working days You will get a signed certificate. You should copy it to the ~/.globus/usercert.pem file on the machine where You had generated the certificate request.

Requesting a Host (Server) Certificate

You will need a host certificate if You intend to make Your computing resources available on BalticGrid.

The procedure is similar to Requesting a User Certificate. The differences are:

1. login as root to the host
   
2. create a new directory for certificates
   
3. Download OpenSSL configuration for Baltic Grid host certificate requests

   wget http://ca.grid.by/misc/BelarusianGridCA-host.cnf

4. Command to create hostcert_request.pem and hostkey.pem (notice -nodes parameter - it tells OpenSSL not to protect hostkey.pem with password):

   openssl req -new -config BelarusianGridCA-host.cnf -out host-certrequest.out \
         -sha1 -nodes

5. chmod 400 private_host_key.pem

   Certificate subject should look like this:
   
   Subject: DC=by, DC=grid, O=domain.by, CN=hostname.domain.by
6. You can send e-mail to RA or CA, signed with valid Your personal Belarusian Grid CA user certificate, instead of meeting with RA face-to-face.
   
   No photocopy of the documents is required.
   

IMPORTANT: in most cases You need decrypted hostkey.pem for grid middleware. Please set appropriate permissions on hostkey.pem to prevent unauthorized access. If You noticed Your hostkey.pem is encrypted, see hints for description how to decrypt keys.

Renewing User/Host Certificate

1. You need a user account in a secure Linux or *NIX machine with OpenSSL. Login to the machine.
   
2. Create a new directory for new certificate request
   

    cd
         mkdir newcert
         cd newcert 

3. Download OpenSSL configuration for Baltic Grid user certificate requests:
   

    wget http://ca.grid.by/misc/BelarusianGridCA-user.cnf
         or
         wget http://ca.grid.by/misc/BelarusianGridCA-host.cnf (for host certificates)

4. Generate a new certificate request with same subject
   

   openssl req -new -config BelarusianGridCA-user.cnf -out usercert_request.pem -sha1 

5. Check Subject of certificate request:
   

   openssl req -in usercert_request.pem -noout -text

   Subject of certificate request should look like this (replace domain.by and Name Surname):
   Subject: DC=by, DC=grid, O=domain.by, CN=Name Surname
   IMPORTANT: keep userkey.pem secret.

   chmod 400 userkey.pem

   If You suspect Your key has been compromised, please contact CA or RA.
   


6. Sign your new request with your user certificate:
   

    cd
         openssl smime -sign -in newcert/usercert_request.pem -out \
         newcert/usercert_request.smime -signer .globus/usercert.pem \
         -inkey .globus/userkey.pem

7. Send the file ~/newcert/usercert_request.smime to Belarusian Grid CA ca@newman.bas-net.by
   

Hints

To show certificate request in plain text:

openssl req -in user-certrequest.out -noout -text

To show certificate in plain text:

openssl x509 -in $HOME/.globus/usercert.pem -noout -text 

To convert certificate from PEM to PKCS12 format (if You wish to import it to Your web browser):

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem \
-descert -out $HOME/certificate.p12

To decrypt private keyfile (this step may be required for host keys, because usually there is no one to enter password when services using host keys are starting):

openssl rsa -in key.pem -out key-decrypted.pem

To encrypt private key or to change private key password:

openssl rsa -des -in key.pem -out key-encrypted.pem

To sign your new request with your user certificate:

 openssl smime -sign -in newcert/usercert_request.pem -out \
 newcert/usercert_request.smime -signer .globus/usercert.pem \
 -inkey .globus/userkey.pem

More Information

If You have questions or comments related to information presented on this page please feel free to contact ca@newman.bas-net.by.