next up previous
Next: Installing the IUCS CA Up: Certificate Authorities: Information and Previous: Pros and Cons of

   
Enabling CA for Globus

To enable one's CA for use with the Globus Toolkit, follow the these instructions on the Globus website. In summary, the steps are as follows:

1.
Export the CA's certificate as a *.pem file. To do this, launch tinyca as specified above and click on the ``CA'' tab (it opens to this by default). Click on the ``Export CA'' button. Export the CA's certificate in the PEM format to some location.
2.
Run the following command on the file just exported with OpenSSL
babel cacert 1 548 $ /l/ssl/bin/openssl x509 -in \
> /tmp/local-cacert.pem -hash -noout
aaaddcdf
3.
The output of the previous step, aaaddcdf, is a hash of the CA's name. Rename the CA's certificate PEM file to this hash with ``.0'' appended to it like so:
cp /tmp/local-cacert.pem /tmp/aaaddcdf.0
4.
Copy this file into the /etc/grid-security/certificates directory. On the Extreme machines, this folder is linked to the following location, which is where this file should go:
/l/local/packages/../noarch/globus/certificates/
5.
Create a signing_policy file. It should begin with the hash discovered above and end with ``.signing_policy''. See the link above for more information regarding these documents. Here is the file I created for our CA:
# IUCS CA Policy

access_id_CA   X509    '/C=US/O=Indiana University/OU=Computer\
 Science/CN=Certificate Authority'
pos_rights     globus  CA:sign
cond_subjects  globus  '/C=US/O=Indiana University/OU=Computer Science/*'
Be sure to place this file in the certificates directory with the CA certificate. In this case it would be named aaaddcdf.signing_policy.
6.
Finally, make sure the permissions on these files is 644 (world readable, but definitely not world writable).


next up previous
Next: Installing the IUCS CA Up: Certificate Authorities: Information and Previous: Pros and Cons of
Marcus A Christie
2003-12-16