Wednesday, April 9, 2008

SimpleCA Explained

SimpleCA is used to create x.509 certificates locally instead of using a remote Trusted Certificate Authority. (Health Grid, Verisign) A SimpleCA is primarily used to issue x.509 certificates for testing purposes. For example, PHGrid is currently using a SimpleCA to issue host and user certificates for an internal grid in support of OGSA-DAI.

Using a SimpleCA:
A SimpleCA can be created by running the following command:
  • $GLOBUS_LOCATION/setup/globus/setup-simple-ca

This command will generate the file, globus_simple_ca_hash_setup-0.19.tar.gz in the ~/.globus/simpleCA directory. This file needs to be distributed to each grid node that will be using the new SimpleCA. Each node will need to run the following commands in order to recognize the new SimpleCA:

  • $GLOBUS_LOCATION/sbin/gpt-build globus_simple_ca_hash_setup-0.19.tar.gz
  • $GLOBUS_LOCATION/sbin/gpt-postinstall
  • $GLOBUS_LOCATION/setup/globus_simple_ca_hash_setup/setup-gsi

You may request host and user certificates from the new SimpleCA after running the above commands.

Post Glossary:
Certificate - A public key and information about the certificate owner bound together by the
digital signature of a CA. In the case of a CA certificate the certificate is self signed,
i.e. it was signed using its own private key.

Certificate Authority - An entity that issues certificates.

Host certificate - A certificate belonging to a host. (I.E, grid node) Host certificates are typically stored in the /etc/grid-security/hostcert.pem file.

SimpleCA - Simple Certificate Authority

Trusted CA – CA trusted by the grid node. Trusted CA's are found in the /etc/grid-security/certificates directory.

User certificate – A certificate belonging to a user. (I.E, Globus, Bubba, Jenny, Forest) User certificates are typically stored in the $HOME/.globus/usercert.pem file.

No comments: