Enabling CA for Globus

To enable one's CA for use with the Globus Toolkit, follow the these instructions on the Globus website. In summary, the steps are as follows:

1.

Export the CA's certificate as a *.pem file. To do this, launch tinyca as specified above and click on the ``CA'' tab (it opens to this by default). Click on the ``Export CA'' button. Export the CA's certificate in the PEM format to some location.

2.

Run the following command on the file just exported with OpenSSL

babel cacert 1 548 $ /l/ssl/bin/openssl x509 -in \
> /tmp/local-cacert.pem -hash -noout
aaaddcdf

3.

The output of the previous step, aaaddcdf, is a hash of the CA's name. Rename the CA's certificate PEM file to this hash with ``.0'' appended to it like so:

cp /tmp/local-cacert.pem /tmp/aaaddcdf.0

4.

Copy this file into the /etc/grid-security/certificates directory. On the Extreme machines, this folder is linked to the following location, which is where this file should go:

/l/local/packages/../noarch/globus/certificates/

5.

Create a signing_policy file. It should begin with the hash discovered above and end with ``.signing_policy''. See the link above for more information regarding these documents. Here is the file I created for our CA:

# IUCS CA Policy

access_id_CA   X509    '/C=US/O=Indiana University/OU=Computer\
 Science/CN=Certificate Authority'
pos_rights     globus  CA:sign
cond_subjects  globus  '/C=US/O=Indiana University/OU=Computer Science/*'

Be sure to place this file in the certificates directory with the CA certificate. In this case it would be named aaaddcdf.signing_policy.

6.

Finally, make sure the permissions on these files is 644 (world readable, but definitely not world writable).