|
DOEGrids Certificate Transition happens in the
following order:
- Key
Generation/Certificate Request Generation: - The web browser
generates key pair and submits the certificate request with
the public key. Kindly note that this certificate request
doesn’t have any information about the user except the public
key generated by the Web Browser. The normal enrollment page
generates the certificate request using/embed user information
like Common Name, Email etc.
- SSL
Client Authentication: - The server initiates SSL client
authentication with the web browser. The user has to have
DOESciencegrid certificate for this SSL client authentication.
The server is setup to trust only DOESciencegrid certificates.
-
Certificate Validation:- The server validates the
DOESciencegrid Certificate, against the current DOESciencegrid
Certificate Revocation List. If the Certificate Serial Number
is present in the CRL, then the server rejects the request.
The server also rejects the request, if the certificate has
been expired and past 30 days.
For Example
If today is
April 2, 2003,
then you cannot use the Certificate which has expired on OR
before March 2, 2003.
- Subject
DN Transition: - This new DOEGrids Community CA has been built
to issue certificate with DC=DOEGrids,
DC=org name space. The
server uses the CN and OU component of the old DOESciencegrid
certificate for the new certificate.
For Example
If 'CN=Fname
Lname 12345, OU=people, O=doesciencegrid.org' is the
Subject DN of your DOESciencegrid certificate, then your new
Subject DN of DOEGrids certificate will be “CN=Fname Lname
12345, OU=People, DC=DOEGrids, DC=org”.
The
server issues a new DOEGrids Certificate. This certificate may
or may not have SubjectAltName extension depends upon your old
DOESciencegrid certificate.
|
