DOEGrids Certificate Service




Home
How to Request Certificates
Policy Management Authority
Certificate Service
Revoke
Certificate Lookup
Research and Development
CP/CPS
CRLs
CA Certificates
Certificate Request Workflow
EDG Testbed 1 requirements
Frequently Asked Questions
Send Info Request
 
*URGENT UPDATE on DOE GRIDS CA Service Transition and OSG CA Availability*

As was first announced in December 2011 , the DOEGrids CA will cease providing certificate services on March 23rd 2013 and is now in the final stages of transitioning services to a new CA managed by the Open Science Grid (OSG). Most DOE Grids CA communities are in the process of transitioning to the new OSG service an d most users may now begin using the OSG CA.

Please contact your RA with any questions or concerns you may have to ensure continuation of your certificate services after March 2013. Please review the transition website for comprehe nsive information on the service transition.

 Frequently Asked Questions


Table of Contents

Most common Issues

  1. Add or Update DOEGrids CA certificates
  2. "Secure Connection Failed" error with error code: ssl_error_renegotiation_not_allowed.
    What should I do?
  3. "noCert" error with Firefox/Mozilla browser during the renewal/replacement.
    What should I do?

 

General questions

  1. I am not a part of the the Virtual Organizations listed on the Home page, can I have a certificate?
  2. I am part of a Virtual Organization listed on the Home page but there is no sponsor listed for my institution/Site. What should I do?

 

Certificate questions

  1. How do I renew my Agent certificate?
  2. How do I stop renewal notices for certificates?
  3. Can I request a certificate for myself using grid-cert-request?
  4. Can I email a personal or host/service certificate request rather than using my web browser to request/submit one?
  5. I forgot my pass phrase. Can you please reset it to the default or call me with it or send it to me in an email?
  6. Does the subject of my certificate request have to conform to the DOEGrids namespace? That is, does it have to be of the form OU=People, DC=doegrids,DC=org?
  7. How do I revoke my certificate?
  8. I am a DOEGrids Agent, how do I revoke a certificate I issued?
  9. How do i request SSL Server Certificate for Apache webserver?

 

 

Browser questions

  1. My favorite web browser is XXXX. Why don't you support it?
  2. I am having problems with Internet Explorer when I submit my certificate request?

 


How do I renew my Agent certificate?

Go to the Agent Renewal link and follow the instructions on the webpage.

Back to Top

How do i stop certificate renewal notices?

The notices continue until the certificate expiration date. You have to revoke old  certificates to end notifications; either your RA can do that for you, or you can do it yourself if you set up a challenge password for the certificate.

Back to Top

Can I request a certificate for myself using grid-cert-request?

No. Personal certificates must be requested using a web browser by going to DOEGrids Certificate service.

Back to Top

Can I email a personal or host/service certificate request rather than using my web browser to request/submit one?

No. Currently there is no email gateway into the request process. You must use the web by going to DOEGrids Certificate service.

Back to Top

I forgot my pass phrase. Can you please reset it to the default or call me with it or send it to me in an email?

No. The pass phrase securing your private key is only stored/managed by you. You must revoke your certificate and submit a new request. Go to the revoke link on the right to revoke your certificate and the Certificate service to request an new certificate.

Back to Top

Does the subject of my certificate request have to conform to the DOEGrids namespace? That is, does it have to be of the form OU=People, O=doegrids,DC=org?

The name space assigned by the DOEGrids PMA is designed to be organizationally/site neutral to allow support to a number of Virtual Organizations.  The structure of the Name does not imply any authorization information. No other name space will be signed by DOEGrids or its Registration Authorities.

Back to Top

My favorite web browser is XXXX. Why don't you support it?

IA number of browsers and systems have been tested, but we can not cover all.  The following table summarizes our findings.

 

Operating System

Browser

Description

1.

Linux/Windows/Mac OS

Mozilla/Firefox family Browser

Usable

2.

Linux/Windows/Mac OS

Chrome

Usable on Mac OS
Not Usable on Windows
Usable on Linux, but requires developer mode enabled

3.

Windows XP/7/8

Internet Explorer

Not Usable

Back to Top

I am not a part of the the Virtual Organizations listed on the Home page, can I have a certificate?

Only members of participating Virtual Organizations may be issued a Certificate, all other requests will be rejected. DOEGrids is supporting Virtual Organizations that are a part of the Department of Energy or work with DOE.  If you think your VO would like to join DOEGrids, please send an information request. There is a link for Info requests in the bar to your right.

Back to Top

I am part of a Virtual Organization listed on the Home page but there is no sponsor listed for my institution/Site. What should I do?

Please email the POC listed for your Virtual Organization  and explain in detail who you are and why you think there should be a sponsor from your institution. He/she will work with you to handle your certificate requirements or help set up a institutional/site agent for you.

Back to Top

How do I revoke my certificate?

Go to the revoke link on the right bar and follow the instructions on the webpage.

Back to Top

I am a DOEGrids agent, how do I revoke a certificate I issued?

As a DOEGrids Registration Authority Agent, you have the access and ability to revoke any certificate issued by DOEGrids. You must be careful to select the correct certificate before revoking it. Please follow the following steps:

  1. Got to: https://pki1.doegrids.org:8100/ca

  2. Click on "Search for certificates"

  3. Enter part of the Common name field

  4. Click Find

  5. Look carefully at the list returned & pick out the right one.

  6. Click on "Revoke", and fill in the reason

  7. Click Submit

Back to Top

How do i request SSL Server Certificate request for Apache webserver?

  1. Please download the 'doegrids.tar' file from https://pki1.doegrids.org/Other/doegrids.tar

  2. Untar the distribution in to /tmp directory.

  3. Make sure OpenSSL is really installed and in you PATH.

  4. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):

       $ openssl  req  -newkey rsa:1024  -keyout  server.key  -keyform  PEM  -out  server.csr  -config  /tmp/doegrids/globus-host-ssl.conf.1c3f2ca8

 

       Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommanName", i.e when you generate a CSR for a website which will be later accessed via https://www.foo.com, enter www.foo.com here.  You can see the details of this CSR via the command

      $ openssl  req -in server.csr  -noout  -text

     

 Please refer the following URL http://httpd.apache.org/docs-2.0/ssl_faq.html for more details."/tmp/doegrids/globus-host-ssl.conf.1c3f2ca8" file has all the necessary changes to generate a SSL Server certificate request, which is in compliance with DOEGrids CA policy.

 

 

 

Back to Top

 


Add or Update DOEGrids CA certificates

You must install the CA chain, whether you have done so in past, or not.

  1. Import both CA certificates

  2. https://www.tacar.org/cert/install/61 (ESnet root CA)
    https://www.tacar.org/cert/install/41 (DOEGrids CA)

    or

    https://pki1.doegrids.org/ca/GetCAChain.html

  3. Edit both certificates and mark them as trusted
  4. Restart your browser

Why must this be done?

Most browsers require the DOEGrids CA chain of certificates be in place before your personal DOEGrids certificate can be installed, updated or used. The DOEGrids CA certificate has also been changed recently (lifetime extended, attributes added for CERN interoperability).

Some browsers do not require this exact sequence of steps. If you are confident you know what you are doing (or know better procedures), act appropriately. However, the changes in these certificates will not be important for several months and the consequent errors are obscure. This is a generic set of instructions that should work with all browsers.

Usually, only the installation of the ESnet root CA certificate is mandatory. However, there are still some circumstances where all elements of the chain are required.

Some browsers may complain that you are reinstalling one or more already-installed certificates. It's best to ignore this error and continue through the rest of the instructions in order to make sure the CA certificates are properly enabled.

"Marking CA certificate as trusted" varies from browser to browser, revision to revision, platform, and even the meaning and range varies considerably between different browsers. In some cases, the browser will ask you for a trust decision on install; in other cases, you have to complete this as a separate step. In Firefox, CA certificates can be found by navigating "Tools->Options->Advanced tab->View Certificates->Authorities"; then one searches for the certificate in the list, and then use the "Edit" tab to change trust settings. In IE, "Tools->Internet Options->Content->Certificates"; CA certificates will be found in both Trusted Root Certification Authorites and Intermediate Certification Authorities. Editing is available with the Advanced tab.

Usually, only the ESnet root CA certificate needs to be marked as trusted. However, there may exist some circumstances where all elements of the chain need to be trusted, or have different trust choices selected.

Back to Top

"Secure Connection Failed" error with error code: ssl_error_renegotiation_not_allowed. What should I do?

This error message is caused by a new feature of Firefox 4 and above. The server is (currently) unfixable; here is a browser fix.

  • Change the browser configuration; enter 'about:config' in the address bar (location or URL bar)
  • Respond to the warning message: confirm that 'I'll be careful'
  • Scroll down the list and look for 'security.ssl.renego_unrestricted_hosts'
  • Double click this entry and provide 'pki1.doegrids.org' in the popup text box.
  • This should fix the problem.


    Another solution: follow the reference below which opens up 'ssl_renegotiation' to every host. Complete your renewal and then turn the ssl_renegotiation feature back off.
    http://dotomaz.tumblr.com/post/786443743/firefox-4-0b1-and-ssl-renegotiation


    "noCert" error with Firefox/Mozilla browser during the renewal/replacement.
    What should I do?

    Renewal/Replacement certificate interface works based on "ssl client certificate authentication". This error message means that user is using a browser which doesn't have a valid DOEGrids certificate and its key installed. This error is also caused by not having DOEGrids CA chain installed as a Trusted CA with the Browser.

    Back to Top

    $Id: faq.html,v 1.10 2012/02/08 16:19:49 helm Exp $

    DOE MICS ESnet DOEGrids Web Site