DCA Root Service DCA Root CA G1 Trusted Certificate Service TCS Request your instant cert now Guide and tools Production CA (MS) Overview Manage Your Certificates (for non-TCS users) Find a local registrar Classic interface Help with your request Host certificate requests Submit your request Download your certificate Renew your certificate Request revocation Reliance information Policy Statement Reliance Information NL e-Infra Zero (training services) Documentation Legacy Cert Request Guide Change a passphrase RA OpsGuide OpenSSL for Windows eToken Guide Links EUGridPMA IGTF Privacy Policy |
DutchGrid CA Rekey InformationNoticeRenewal is only applicable for medium-security certificates. If you have lost your private key, or if your certificate has since expired, you will need to re-apply via the regular Request form for generating a new request and registration form. Alternatively you can request a new personal certificate using the jGridstart certificate management tool or download the applications forms for users or for hosts and servers here if needed. Please fill them completely and bring them to your RA.
You can request routine rekeying of your Medium-security DutchGrid certifation via the integrated certificate management tool jGridstart or by signed electronic mail. This e-mail must then contain a new certificate request, with the same subject name as the previous certificate but with a new key pair. Renewing your certification using the old key pair is not possible under the medium-security policy. The e-mail must be digitally signed by your "old" private key and be in the S/MIME format. Your old certificate should NOT yet have expired! Alternatively, for host and server certificates via generation of a signed e-mail, you can use the dca-rekey-pack.sh shell script. This script requires the presence of an OpenSSL executable for your platform, and a basic set of file utilities (sed, rm, date, hostname, a Bourne shell compatible sh and a SysV compatible echo). You will have to mail the text to the CA using your own favourite mail client...
Important: you have to manually send or upload your renewal request. This is not done automatically! Once you have submitted your request, you will receive an automatic confirmation email within a few minutes. If you did not get this email, please send or submit your renewal request again. The syntax is then (almost) trivial: dca-rekey-pack.sh [-d targetdir] [-o prefix] [-b bits] [-k oldkeyfile] oldcert -d targetdir directory where all new files will end-up (default: .) -o prefix string to use as a prefix for all generated files (default: "new") -b bits number of bits for key pair (default: 2048) -k oldkeyfile filename of existing private key file in PEM format (default: same name as certfile, with "cert"->"key") oldcert filename of existing certificate in PEM formatSo, you you want to renew your existing Globus certification, try the following commands: dca-rekey-pack.sh -d .globus .globus/usercert.pem (or for the old script renewcert-dutchgrid.sh -d .globus .globus/usercert.pem) lots of blah-blah and passphrase typing *** use to following command to mail it, but do not modify the *** contents of the e-mail! You have successfully generated your renewal (rekeying) request. The renewal (rekeying) request is stored in the file 2007//newrekeypack.txt, and you must now do either of the following: - send file .globus/newrekeypack.txt by e-mail to ca@dutchgrid.nl, preferably IN-LINE and not as an attachment (use copy-paste please) - upload the file .globus/newrekeypack.txt using the renewal web interface at http://ra.dutchgrid.nl/ra/public/submit Your rekey request will be sent to your RA for acknowledgement, so please be patient while your RA processes your request. Thank you for using the DutchGrid CA Service. Important: you have to manually send or upload your renewal request. This is not done automatically! Once you have submitted your request, you will receive an automatic confirmation email within a few minutes. If you did not get this email, please send or submit your renewal request again. Note that if you don't have sendmail, you could try using the "mail" program instead, but the web interface is more user-friendly. Wait some time for cert to come back in e-mail, and save mail as .globus/newcert.pem. Now it's time to exchange your "old" set of keys for the new ones in one go: cd $HOME/.globus mv usercert.pem old_usercert.pem mv userkey.pem old_userkey.pem mv newkey.pem userkey.pem mv newcert.pem usercert.pemand to renew your proxy if needed. Please note that DutchDemo certificates are not elegible for rekeying.
|