KEK GRID CA Enrollment Manual

Version 5.1
2021-12-08


Index


1. CA Service Application (KEK GRID CA CP/CPS 4.1(1))

1.1. Submitting Application Form

Users can request a KEK Grid CA service account via the Online Application Portal, ccPortal (highly recommended). All users must submit an application form and a copy of the user's (high resolution) photo ID to the Administration Office of the KEK Computing Research Center by the system. It is desirable that the user's photo ID is issued by the user's home institute. If it is not possible, a copy of your ID from the home institute in addition to one copy of a public photo ID can be submitted instead. Your personal information (including a copy of photo ID) is used exclusively for the purpose of managing your account and issued certificates, and in particular, vetting your identity by a face-to-face or video conferencing interview.

In case a user cannot utilize ccPortal for any reason, the application form and photo ID can be sent by e-mail or ordinary mail in the paper.
The address of the office is:

[English]
Computing Research Center Administration Office
High Energy Accelerator Research Organization
1-1 Oho, Tsukuba 305-0801, Japan

[Japanese]
〒305-0801
茨城県つくば市大穂1-1
高エネルギー加速器研究機構
計算科学センター 事務室

The template of the application form is available from Application Form Page.
If you do not have an account on any other systems in KEK, you have to submit another form.

1.2. Identification and Interview

After receiving an application form, KEK GRID RA examines it according to CP/CPS document [3.1.9 user identification], and interviews the applicant. The interview is scheduled based on an agreement between the RA and the applicant. The interview can be either face-to-face or through video conference.

1.3. Authorization

If the application is approved by the interview, the KEK GRID RA will inform the KEK GRID CA that the request has been approved. The KEK GRID CA then creates a username and a password, which will be used to obtain a certificate from the CA system. The initial password is set to 10 digits random characters. The username and the initial password will be able to retrieve from ccPortal. If a user is not registered in ccPortal, a document will be sent to the applicant in a paper by ordinal mail or FAX.

You should change the initial password as soon as you receive it and keep in mind your changed password.



2. Managing User Account

2.1. Change User's Password

To change your password, visit Password Management Service with your favorite web browser. The KEK GRID CA requires a user to keep her/his password more than 10 digits long.


2.2. Change User's Common Name

If you want to change your Common Name (CN), please contact consult@kek.jp.



3. Setting up Command Line Client

User must install KEK GRID CA Command Line Client (CLI) on a computer system client nod client node.

The CLI communicates with the KEK GRID CA through the public Internet.
If your client node is placed behind a firewall, please ensure that the firewall is configured so that transmissions are allowed to/from KEK GRID CA services:TCP ports 80, 443, 2560 on 130.87.6.254 / 2001:2f8:3e:6::14 and TCP ports 443, 11417 on 130.87.6.245 / 2001:2f8:3e:6::5


3.1. KEK GRID CA CLI Installation

On KEKCC work servers, the CLI is pre-installed under /opt/kek/caclt.

User have to install a CLI package which is a modified version of the NAREGI-CA software.

The NAREGI-CA software supports various UNIX platforms, however, the CLI has been tested on following Linux platforms only:

  • Red Hat Enterprise Linux 6.10 (x86_64)
  • Red Hat Enterprise Linux 7.7 (x86_64)
  • Red Hat Enterprise Linux 7.8 (x86_64)
  • Red Hat Enterprise Linux 8.1 (x86_64)
  • CentOS 6.10 (x86_64)
  • CentOS 7.8 (x86_64)
  • CentOS 8.1 (x86_64)

After downloading the CLI package, you can install it in the following way (You can change the installation directory ("/opt/kek/caclt" in the example below) to whatever you like. The default is "/usr/local".):

  1. Unpack a download file
    ex) $ tar zxf kekgca-clt.20200715.tar.gz
  2. Change working directory to the source directory
    ex) $ cd kekgca-clt
  3. Configure and make
    ex) $ ./configure --prefix=/opt/kek/caclt; make client
  4. Install CLI files
    ex) $ make install-client



4. Obtaining a Certificate

4.1. Obtain a User Certificate with KEK GRID CA CLI

  1. Execute "certreq" with the options below

    $ /opt/kek/caclt/bin/certreq issue -uid your_username -ucert

  2. Input your password following the prompt, to get access KEK GRID CA:
    ------------------------------------------- 
      creating a certificate signing request 
    -------------------------------------------
    generate private key (size 2048 bit)
    ...................................oo
    .............oo
    
    please input your challenge pin to get a certificate
    Input Challenge PIN or Password :
    
  3. Input Pass Phrase twice following the displayed prompt, to protect your generated private key:
    your_username is now trying to login...
    99 bytes retrieved as CN.
    trying to connect RA server : rra51.kek.jp (11417) ... ok.
    request for issuing a new certificate ... ok.
    save a CA certificate file : 617ff41b.0
    save a certificate file : usercert.pem
    save a private key file : userkey.pem
    Input PASS Phrase:     
    Verifying - Input PASS Phrase: 
    

The following files should be created under current working directory:

  • usercert.pem
  • userkey.pem
  • 617ff41b.0 (CA certificate)
Please note that certreq overwrites usercert.pem and userkey.pem if these files exist in current working directory (with write permission enabled).

You have to set appropriate permissions on userkey.pem (400) and usercert.pem (644). Under usual Grid environment, these files are supposed to be placed in $HOME/.globus directory.


4.2. Obtaining a Host/Service Certificate

In order to issue host/service certificates, a special permission has to be given to your account.
Please contact consult@kek.jp for the permission.

4.2.1. Generation of One-time License Code

A one-time license is required to request issuing a Globus host/service certificate. You can get it with a web browser which supports a HTML form submission:

  1. Visit License Generation Service with your favorite web browser.
  2. Input your "username" and "password".
  3. Select number of licenses (i.e. hosts/services) as you need. You can get up to 32 license codes at a time.
  4. Click "Generate license code" button.
  5. License Generation Service shows several license codes like below:
    1234567890-7GG4QI-FGVXVK
    1234567890-7GF8QH-69SNL1
    1234567890-7GEZQG-49YWR8
    1234567890-7G7PQF-NG3CON
    1234567890-7G6DQE-YRTWYQ
    
  6. You should keep the license codes (by saving a local text file).

4.2.2. Obtain Certificates with KEK GRID CA CLI

Execute "certreq" with the options below

    $ /opt/kek/caclt/bin/certreq issue -lic a_onetime_license_code -hcert -fqdn hostname
    or
    $ /opt/kek/caclt/bin/certreq issue -lic a_onetime_license_code -lcert -fqdn hostname

"-fqdn hostname" is a mandatory option when you obtain host/ldap certificates.

If you want to have a 2nd organizational unit (OU) field in the subject of a host/ldap certificate, you should execute "certreq" with the following options;

    $ /opt/kek/caclt/bin/certreq issue -lic a_onetime_license_code -hcert -fqdn hostname -mou 2nd_ou_name

The following files will be created under current working directory:

  • hostcert.pem
  • hostkey.pem
  • 617ff41b.0 (CA certificate)
or
  • ldapcert.pem
  • ldapkey.pem
  • 617ff41b.0 (CA certificate)

Please note that certreq overwrites certificates and key files (hostcert.pem and hostkey.pem or ldapkey.pem and ldapcert.pem) in current working directory.

You have to set appropriate ownership (usually root) and permissions on hostkey.pem (400) and hostcert.pem (644). Under usual Grid environment, these files are supposed to be placed in /etc/grid-security/ directory.



5. Updating Certificates

Certificates can be updated by either (5.1) rekeying or (5.2) revoking old one and then issuing new one.
5.1. Rekey certificates
For user certificate:

You can rekey your certificate, i.e. issue a new one with the same subject as the current one if the certificate will expire in less than 90 days.
Note that the old certificate is valid until the expiration date and you will receive email notifications until the old certificate expires or is revoked.
(The old certificate can be revoked from the Web enroll page as described in Section 6.2.)

  1. Check serial number (in decimal) and valid period of the expiring certificate.
    $ openssl x509 -in usercert.pem -serial -dates -noout
    serial=3039
    notBefore=Mar 01 00:00:00 2019 GMT
    notAfter=Apr 01 00:00:00 2020 GMT
    $ printf "%d\n" 0x3039
    12345
    or
    $ echo "ibase=16; 3039" |bc
    12345

  2. Make a new directory and copy the current files into the directory with different name.
    $ mkdir dirname
    $ cd dirname
    $ cp -p /somewhere/userkey.pem _userkey.pem
    $ cp -p /somewhere/usercert.pem _usercert.pem

  3. Rekey your certificate. Please don't forget to replace your_username with your username in the following example.
    $ /opt/kek/caclt/bin/certreq rekey -ucert -uid your_username -clkey _userkey.pem -clcer _usercert.pem
    ------
    Certificate DATA:
        serial number : 12345
        subject:
        C=JP, O=KEK, OU=CRC,  CN=XXXX XXXX
        Validity
          Not Before: Mar 01 00:00:00 2019
          Not After : Apr 01 00:00:00 2020
    
  4. Choose "y"
    do you re-key this certificate ? (y/n)[y]:
    
  5. Input your password to get access KEK GRID CA
    please input your challenge pin or password to get a certificate
    Input Challenge PIN or Password :
    
  6. Input a new passphrase to be set for the new certificate (private key) twice, and then input a passphrase set for the your current certificate (private key):
    generate private key (size 2048 bits)
    ................................o
    ........................................................o
    -------------------------------------------
      creating a certificate signing request
    -------------------------------------------
    Input PASS Phrase:
    Verifying - Input PASS Phrase:
    save a private key file : userkey.pem
    trying to connect RA server : rra51.kek.jp (11417)
    Input PASS Phrase:
    request for issuing a re-keyed certificate ... ok.
    save a CA certificate file : 617ff41b.0
    save a certificate file : usercert.pem
    remove the CSR (unnecessary) : usercert.p10
    
For host certificate:

You can rekey your certificate, i.e. issue a new one with the same subject as the current one if the certificate will expire in less than 90 days.
Note that the old certificate is valid until the expiration date and you will receive email notifications until the old certificate expires or is revoked.
(See Section 6 for revocation of the certificate.)
  1. Check serial number (in decimal) and valid period of the expiring certificate.
    $ openssl x509 -in hostcert.pem -serial -dates -noout
    serial=3039
    notBefore=Mar 01 00:00:00 2019 GMT
    notAfter=Apr 01 00:00:00 2020 GMT
    $ printf "%d\n" 0x3039
    12345
    or
    $ echo "ibase=16; 3039" |bc
    12345

  2. Make a new directory and copy the current files into the directory with the different name.
    $ mkdir dirname
    $ cd dirname
    $ cp -p /somewhere/hostkey.pem _hostkey.pem
    $ cp -p /somewhere/hostcert.pem _hostcert.pem

  3. Rekey your certificate. Please don't forget to replace your_username with your username in the following example.
    $ /opt/kek/caclt/bin/certreq rekey -hcert -lic a_onetime_license_code -fqdn hostname -clkey _hostkey.pem -clcer _hostcert.pem
    ------
    Certificate DATA:
        serial number : 12345
        subject:
        C=JP, O=KEK, OU=CRC, CN=host/xxx,
        Validity
          Not Before: Mar 01 00:00:00 2019
          Not After : Apr 01 00:00:00 2020
    
  4. Choose "y"
    do you re-key this certificate ? (y/n)[y]:
    generate private key (size 2048 bits)
    ......................................................o
    ....................................................................o
    -------------------------------------------
      creating a certificate signing request
    -------------------------------------------
    save a private key file : hostkey.pem
    trying to connect RA server : rra51.kek.jp (11417)
    request for issuing a re-keyed certificate ... ok.
    save a CA certificate file : 617ff41b.0
    save a certificate file : hostcert.pem
    remove the CSR (unnecessary) : hostcert.p10
    
5.2. Revocation and Reissuance
You can revoke the old certificate and reissue new one with following steps:
  1. Revoke your previous certificate, according to section 6
  2. Request a new certificate, according to section 4

6. Revoking Certificates

There are two ways to revoke a certificate.
If the certificate already expired or you do not remember the passphrase, revoke it from your web browser, as described in section 6.2.

6.1. Using KEK GRID CA CLI

"certreq" command has a function to revoke a certificate.

Revocation using the CLI needs a set of files as below:

  • userkey.pem & usercert.pem
  • hostkey.pem & hostcert.pem
  • ldapkey.pem & ldapcert.pem

You need to specify relative/absolute file names if these are not in current working directory:

  1. Execute "certreq" with appropriate options

    $ /opt/kek/caclt/bin/certreq revoke -ucert -clkey userkey.pem -clcer usercert.pem
    or
    $ /opt/kek/caclt/bin/certreq revoke -hcert -clkey hostkey.pem -clcer hostcert.pem
    or
    $ /opt/kek/caclt/bin/certreq revoke -lcert -clkey ldapkey.pem -clcer ldapcert.pem
    -------------------------------------------
      revoke a current user certificate
    -------------------------------------------
    Certificate DATA:
        serial number : 12345
        subject:
        C=JP, O=KEK, OU=CRC, CN=Test User, 
    do you revoke this certificate ? (y/n)[y]:  
    ------
    Set revocation reason >>
      unspecified(0), keyCompromise(1), cACompromise(2),
      affiliationChanged(3), superseded(4), cessationOfOperation(5),
      certificateHold(6), removeFromCRL(8), privilegeWithdrawn(9),
      aaCompromise(10)
    select reason code (-1 means 'cancel') [0]: 
    trying to connect RA server : rra51.kek.jp (11417) 
    Input PASS Phrase: 
    request for certificate revocation ... ok
    success to revoke a certificate (sn:12345)
    

6.2. Using Web Browser

You can revoke an issued certificate at the KEK GRID CA service with a web browser.

  1. Visit User Enroll page with web browser.
  2. Type inputs following the prompt as needed.

Detailed procedures are illustrated in Revocation of User certificate and Revocation of Host certificate


i. Appendix A: Converting a Certificate

To import a certificate into browsers, the certificate should be in PKCS12 encrypted form.
You can convert the certificate by using openssl command as follows:
$openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out user.p12
where user.p12 is the name of your converted file.

In this command, you will be prompted for Pass Phrase and Export Password.
Pass Phrase is the pass phrase of your key file.
Export Password is the password for exporting the certificate to browsers.

The PKCS12 file can be converted to the PEM files by using the following openssl commands:
$openssl pkcs12 -in user.p12 -clcerts -nokeys -out usercert.pem
$openssl pkcs12 -in user.p12 -nocerts -out userkey.pem

ii. Appendix B: Import a Certificate to Browsers

This section shows how to import the certificate (in p12) to your browsers. Several combinations of major browsers and OSes are covered here.

= Internet Explorer 11 (Windows 10)

open Tools -> Internet Options, click Content
under Certificates, click Certificates, click Personal
click import

= Firefox 77.0.1 (Windows 10)

open Options, click Advanced, click Certificates,
click View Certificates, click Your Certificates
click import and enter the filename

= Firefox 68.9.0 (Linux)

open Edit -> Preferences, click Advanced, click Encryption
under Certificates, click View Certificates, click Your Certificates
click import and enter the filename

= Firefox 13.0 (Mac OS X)

open Firefox -> Preferences, click Advanced, click Encryption
under Certificates, click View Certificates, click Your Certificates
click import and enter the filename

= Chrome 96.0.4664.110 (Linux, Windows)

open Settings --> Privacy and security --> Security --> Manage Certificate
click import and enter the filename

= Safari 5.1.7 (MacOS X Lion)

Doubleclick your certificate file (.p12)
or
open Terminal (Application -> Utility -> Terminal), then type "open [your-cert-file (in .p12)]"

(Keychain Access is invoked,) enter the password (passphrase)
(With Keychain Access (Application -> Utility -> Keychain Access),
you should have the certificate in your login keychain.)


Powered by NAREGI CA Ver 3.3 User Enroll Service modified by KEK.