DutchGrid Certification Authority User Information

This user information page is directed to users or administrators of Globus and Grid services in the Netherlands. In order to use the Grid in a secure fashion, a mutual trust relationship needs to be established between Grid service providers (machines or services like the Gatekeeper or the FTP daemon) and Grid users (individuals that need to access these resources). Such a mutual trust relation is created using transport-level security (like SSL) based on asymmetric public-private key cryptography. You might recognise this concept from so-called "secure web sites", frequently used to secure the exchange of sensitive information like credit-card details.

The identity (authentication) of services and users is based on "certificates": files that contain both the public key of the users keypair, details about the identity (like name and affiliation), and administrative information like expiry date and purpose. This information is bound together and digitally signed by a trusted third-party, the "Certification Authority". Examples of well-known commercial CA's are Verisign and Thwarte. NIKHEF operates such a CA as a courtesy service for DutchGrid as part of DataGrid WP6 (testbed).

Within this Public Key Infrastructure (PKI), the Certification Authority (CA) plays a pivotal role. It is the final authority, recognised by all subscribers and relying parties a making a well-informed and correct assessment on whether the public key belongs to the entity named in the certificate. For example, if Mr. John Foo Bar generates a key pair and submits it for signing by a CA, his eventual signed certificate will testify that the private key pertaining to this key pair is in the posession of someone named "John Foo Bar" and that he and only he can be the one behind any electronic actions signed with the associated private key.

The CAs operated for DutchGrid are a "medium-security" CA and a "worthless Demo CA". The medium-seucirty implies that it will do all reasonable checks to assert the requestors identity (e.g., by phone, by personal visit or by checking a passport or drivers license with photograph). It will also check the affiliation of both users and server entities. The CA is physically secured in a locked room, not connected to any kind of network, etc. On the other hand, "medium-security" in this case implies that the CA can be operated by one person, and that no external (expensive) auditing is done. Also, use of the certificates by subscribers or relying parties for financial purposes is not permitted.
Details can of course be found in the Certification Policy and Practice statement.

In order to facilitate the identity checks, the DutchGrid CA has delegated part of the verification process to "Registration Authorities" (RA). In case a RA has been assigned to your institute, please refer your requests to the RA. See below for a list of RAs.

Obtaining a DutchGrid Certificate

Requests for certification have to be sent by electronic mail to your DutchGrid Registration Authority or the DutchGrid CA. Preferably, such a mail is generated using the "Build-a Request" form on the web: Build-a-Request Web Interface (or unsecured here). You can use this interface regardless of whether you have the Globus Toolkit installed or not. And, besides personal identity certificates, you can also request "service" and "host" certs.
You will need to have OpenSSL installed on your system. OpenSSL is part of many popular Linux and Unix distributions, ships with the Globus Toolkit, and is also available for MS Windows/win32. If you need a win32 version, you will have the opportunity to download it from the request overview page at the end of the request process.

After completing the on-line forms, you will download a 'shell script' or an 'MS-DOS batch command file', that will create a cryptographic key pair for you. Part of this key pair will be embedded in your certificate, the other part you must keep private. Both parts of the key pair will end up in two separate files in your $HOME/.globus/ directory. For the medium-security production CA, and on Unix or Linux systems only, an electronic mail will automatically be sent to the CA for processing. In all other cases, mail the file "usercert_request.pem" (but never the "userkey.pem" file!) to the DutchGrid CA, and specify the following additional information:

  • Electronic mail address
  • Contact information (room number, phone number, etc)
Then, visit your Registration Authority, as printed on the form.

Renewing a DutchGrid Certificate

You can request rekeying of your Medium-security DutchGrid certifation by signed electronic mail, if and only if your last full application is not older than three (3) years, and your last application included your personal details and registration of your photoID. This e-mail must contain a new certificate request, with the same subject name as the previous certificate but with a new key pair. Renewing your certification using the old key pair is not possible under the medium-security policy. The e-mail must be digitally signed by your "old" private key and be in the S/MIME format. To facilitate the generation of this signed e-mail, you can use the renewcert-dutchgrid.sh shell script. This script requires the presence of an OpenSSL executable for your platform, and a basic set of file utilities (sed, rm, date, hostname, a Bourne shell compatible sh and a SysV compatible echo).

Once you have sent this e-mail, contact your Registration Authority for confirmation.

PS: DutchDemo certificates are not elegible for rekeying.
PS: If you never provided a photocopy of your ID before, you cannot rekey your existing certificate.

Registration Authorities

Registration Authorities mediate your request and perform part of the identity verification process. Please refer to the RA assigned to your site. If you do not have an RA yet, you can contact the DutchGrid CA operator directly, but be prepared to identify yourself in person with a passport of drivers license.