Certificates FAQ

Q: What are certificates?

PRACE employs X.509 certificates for grid services, as they presenta single method of authentication for all PRACE services, where onlyone password is required.

There are different kinds of certificates, each with a different scope of use. We mention here:

- User (Private) certificates

- Certificate Authority (CA) certificates

- Host certificates

- Service certificates

However, users need only manage User and CA certificates. Note thatyour user certificate is protected by an associated private key, andthis private key must never be disclosed.

Q: Which X.509 certificates are recognised by PRACE?

Any certificate that has been issued by a Certification Authority(CA) from a member of the IGTF (http:www.igtf.net) is recognised byPRACE: European certificates are issued by members of the EUGridPMA (https://www.eugridmpa.org), whichis part of the IGTF and coordinates the trust fabric for e-Science Gridauthentication within Europe.

Q: How do I get a User Certificate that can be used withPRACE?

To get a certificate, you must make a request to your local, IGTFapproved, Certificate Authority (CA). Usually you then must visit, inperson, your nearest Registration Authority (RA) to verify youraffiliation and identity (photo identification is required). Usually,you will then be emailed details on how to retrieve your certificate,although procedures can vary between CAs. If you are in Europe, you canlocate your PRACE trusted CA via http://www.eugridpma.org/members/worldmap.

In some countries certificates can also be retrieved using the TERENA Certificate Service, see the FAQ below for the link

For more information, please see Section 2.4 of The Primer, whichmay be found at PRACE Primer

Q: Does PRACE support short lived certificates (SLCS)?

Yes, provided that the CA which provides this service is also amember of IGTF.

Q: Does PRACE support the TERENA certificate service?

Yes, PRACE supports TERENA eScience personal certificates. For more information, please visit https://tcs-escience-portal.terena.org,where you also can find if your organisation/country can use this service

Q: What format should my certificate take?

User Certificates come in many formats, the three most common beingthe ’PKCS12’, ’PEM’ and the JKS formats.

The PKCS12 (often abbreviated to ’p12’) format stores your usercertificate, along with your associated private key, in a single file.This form of your certificate is typically employed by web browsers,UNICORE, DART, gsissh-term and Globus toolkit (GSI-SSH, GridFTPand GRAM5).

The PEM format (*.pem) stores your user certificate and yourassociated private key in two separate files. This form of yourcertificate can be used by PRACE’s gsissh-term and with the Globustoolkit (GSI-SSH, GridFTP and GRAM5).

To convert your Certificate from PEM to p12 formats, and vice versa, PRACE recommends using the openssl tool (see separate FAQentry).

JKS is the Java KeyStore and may contain both your personalcertificate with your private key and a list of your trusted CAcertificates. This form of your certificate can be used by DARTand UNICORE6.

To convert your Certificate from p12 to JKS, PRACE recommends usingthe keytool utiliy (see separate FAQ entry).

Q: What are CA certificates?

Certification Authority (CA) certificates are used to verify thelink between your user certificate and the authority which issued it.They are also used to verify the link between the host certificate of aPRACE server and the CA which issued that certificate. In essence theyestablish a chain of trust between you and the target server. Thus, forsome PRACE services, users must have a copy of all the PRACE CAcertificates.

To assist PRACE users, SARA provides a complete and up-to-datebundle of all the CA certificates that any PRACE user will require.Bundle of certificates, in either p12, PEM or JKS formats, areavailable from http://winnetou.sara.nl/prace/certs/.

It is worth noting that gsissh-term and DART automatically updatestheir CA certificates from this SARA website. In other cases, if youreceive a warning that a server’s certificate can not be validated (nottrusted), then please update your CA certificates via the SARA website.If this fails, then please contact the PRACE helpdesk.

Lastly, if you need the CA certificates for a personal Globus 5installation, then you can install the CA certificates from a MyProxyserver with the following command.

myproxy-get-trustroots -s myproxy-prace.lrz.de

If you run this command as ’root’, then it will install thecertificates into /etc/grid-security/certificates. If you run this notas ’root’, then the certificates will be installed into$HOME/.globus/certificates. For Globus, you can download theglobuscerts.tar.gz packet from http://winnetou.sara.nl/prace/certs/.

Q: What is a DN and how do I find mine?

DN stands for Distinguished Name and is part of your usercertificate. PRACE needs to know your DN to create your PRACE account.You may use openssl (see below) to determine your DN or, if yourbrowser contains your user certificate, you can extract your DN fromyour browser.

For Internet Explorer users, the DN is referred to as the “subject”of your certificate. Tools->InternetOptions->Content->Certificates->View->Details->Subject.

For users running Firefox under Windows, the DN is referred to asthe “subject” of your certificate.Tools->Options->Advanced->Encryption->View Certificates.Highlight your name and then Click View->Details->Subject.

Q: How do I use the openssl tool?

The following examples are for Unix/Linux operating systemsonly.

To convert from PEM to p12, enter the following command:

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -outusername.p12

To convert from p12 to PEM, type the following fourcommands:

openssl pkcs12 -in username.p12 -out usercert.pem -clcerts .nokeysopenssl pkcs12 -in username.p12 -out userkey.pem -nocertschmod 444 usercert.pemchmod 400 userkey.pem

To check your Distinguished Name (DN), enter the followingcommand:

openssl x509 -in usercert.pem -noout -subject -nameoptRFC2253

To check your certificate (e.g., DN, validity, issuer, public keyalgorithm, etc.), enter the following command:

openssl x509 -in usercert.pem -text -noout

To download openssl for both Linux and Windows, please visit http://www.openssl.org/related/binaries.html.On Macintosh Mac OS X computers openssl is already pre-installed andcan be used immediately.

Q: How do I create and then manage a keystore?

PRACE recommends the java based keytool utility to create and managekeystores, which themselves are stores of keys and certificates. Forexample if you want to convert your pkcs12 formatted key pair into ajava keystore you can use the following command.

keytool -importkeystore -srckeystore $my_p12_cert -destkeystore$my_keystore -srcstoretype pkcs12 -deststoretype jks -alias$my_nickname -destalias $my_nickname

where $my_p12_cert is the name of your p12 (pkcs12) certificate,$my_keystore is the name that you give to your new java keystore and$my_nickname is the alias name that the p12 certificate was given andis used also for the new keystore.

You also can import CA certificates into your java keystore with thetool, e.g.:

keytool -impo
rt -trustcacerts -alias $mydomain -file $mydomain.crt -keystore $my_keystore

where $mydomain.crt is the certificate of a trusted signingauthority (CA) and $mydomain is the alias name that you give to theentry.

More information on the tool can be found at:http://download-llnw.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html

Q: How do I use my certificate to access the different PRACEServices?

Most PRACE services require the use of your certificate; however,the format of your certificate depends on the PRACE Service you wish toemploy.

If employing PRACE Trouble Ticket System (DTTS) or INCA (both WebApplications), then the certificate must be in the p12 format and mustbe manually loaded into your browser for each computer you intend toemploy. (Some Certification Authorities deliver the certificatedirectly into your browser.)

If employing the DART (a Java Web Start Application), then you mayuse either the p12 format or JKS. For more information, please visit Accounting Report Tool

If employing the PRACE version of GSISSH-term (also a Java Web StartApplication), you may use either the PEM or p12 formats. Note that thisservice automatically installs up-to-date PRACE CA certificates.

If the PRACE service is UNICORE, then you bind your certificate, ineither the p12 format or JKS, to UNICORE during the installation of theclient on your local machine. For more information, please visit UNICORE6 in PRACE

If the PRACE service is part of Globus, such as GSI-SSH, GriFTP orGRAM5, then the certificates can be in either p12 or PEM format andmust reside in the “$HOME/.globus” directory for Linux and Mac users or%HOMEPATH%.globus for Windows users. (Windows users will have to usethe DOS command ’cmd’ to create a directory which starts with a ’.’).Further, user certificates should be named either “usercred.p12″ or”usercert.pem” and “userkey.pem”, and the CA certificates must be keptin a pre-specified directory as follows. For Linux and Mac users, thisdirectory is either $HOME/.globus/certificates or/etc/grid-security/certificates. For Windows users, this directory is%HOMEPATH%.globuscertificates. (If you are using GSISSH-Term fromprace-ri.eu then you do not have to create the .globus directory norinstall CA certificates to use this tool alone).

Q: How do I manually import my certificate into my browser?

If you employ the Firefox browser, then you can import yourcertificate by first choosing the “Preferences” window. For Windows,this is Tools->Options. For Linux, this is Edit->Preferences. ForMac, this is Firefox->Preferences. Then, choose the “Advanced”button; followed by the “Encryption” tab. Then, choose the”Certificates” panel; select the option “Select oneautomatically” if you have only one certificate, or “Ask me every time”if you have more then one. Then click on the “View Certificates” buttonto open the “Certificate Manager” window. You can then select the “YourCertificates” tab and click on button “Import”. Then locate the PKCS12(.p12) certificate you wish to import, and employ its associatedpassword.

If you are a Safari user, then simply open the “Keychain Access”application and follow “File->Import items”.

If you are an Internet Explorer user, clickStart->Settings->Control Panel and then double-click on Internet.On the Content tab, click Personal, and then click Import. In thePassword box, type your password. NB you may be prompted multiple timesfor your password. In the “Certificate File To Import” box, type thefilename of the certificate you wish to import, and then click OK.Click Close, and then click OK.

Q: What is a proxy certificate?

A proxy certificate is a short-lived certificate which may beemployed by UNICORE and the Globus services. The proxy certificateconsists of a new user certificate and a newly generated proxy privatekey. This proxy typically has a rather short lifetime (normally 12hours) and often only allows a limited delegation of rights. Itsdefault location, for Unix/Linux, is /tmp/x509_uuid but can be setvia the $X509_USER_PROXY environment variable.

Q: What is the MyProxy service?

The MyProxy service, The MyProxy Service,can be employed by gsissh-term and Globus tools, and is an onlinerepository that allows users to store long lived proxy certificatesremotely, which can then be retrieved for use at a later date. Eachproxy is protected by a password provided by the user at the time ofstorage. This is beneficial to Globus users as they do not have tocarry their private keys and certificates when travelling; nor do usershave to install private keys and certificates on possibly insecurecomputers.

Q: Someone may have copied or had access to the private key of mycertificate either in a separate file or in the browser. What should Ido?

Please ask the CA that issued your certificate to revoke thiscertifcate and to supply you with a new one. In addition, please reportthis to PRACE by contacting the helpdesk by email.