Requesting Certificates

From SURAgrid
Jump to: navigation, search

You've got your personal certificate, right?

You'll need a minimum of three host/service certificates to run a Compute Element (CE) resource: host, http, and rsv. There are two methods for requesting these certificates: the OIM Certificate web site or the OSG PKI command-line tools.

Method 1: Web Interface


  • Web Browser with your personal certificate
  • Linux or MacOS X system with openssl command

Create a directory in which to temporarily store your keys and certificates.

umask 077
mkdir ~/osgcerts
cd ~/osgcerts

Go to the OIM Certificate Service and click the Login link at the top right.

Under HOST CERTIFICATES in the left navigation column, click RequestNew.

Open a Terminal window on your system and generate 3 Certificate Signing Requests (CSRs)

openssl req -new -newkey rsa:2048 -nodes -keyout hostkey.pem -out hostcsr.pem -subj "/"
openssl req -new -newkey rsa:2048 -nodes -keyout httpkey.pem -out httpcsr.pem -subj "/CN=http\/"
openssl req -new -newkey rsa:2048 -nodes -keyout rsvkey.pem -out rsvcsr.pem -subj "/CN=rsv\/"

Cat the hostcsr.pem file in your Terminal window. Copy/paste the output into the CSR input area on the web form. Hit <Tab> in the CSR input form. Javascript will pre-process your CSR input and bring up a selector, Approver VO for Choose OSG. In the Comments area enter any comments to send to the GridAdmin who will issue your certificate. On the same page click 'Add CSR'. This will add another box for a second certificate request. Cat the httpcsr.pem file and paste its content into the box. Click 'Add CSR' one more time and paste the contents of the rsvcsr.pem file into the third box.

Read the OSG Policy Agreement and click I AGREE if you agree to the terms.

Click Submit. You will receive confirmation e-mails for the submission and approval/issuance of your certificates.

When your certificates are issued, you can return to the OIM Certificate Service and click My Requests under HOST CERTIFICATES. Right-click each of the links to the certificates to download them to your ~/osgcerts directory. Match the certificate name to the key name. E.g., hostcert.pem to hostkey.pem, etc.


The certificate/key pairs are installed under /etc/grid-security/. Assuming your RSV user is rsvuser,

cd ~/osgcerts
mkdir --mode=755 /etc/grid-security/http /etc/grid-security/rsv
install -m 444 -o root -g root hostcert.pem /etc/grid-security/hostcert.pem
install -m 400 -o root -g root hostkey.pem /etc/grid-security/hostkey.pem
install -m 444 -o tomcat -g tomcat httpcert.pem /etc/grid-security/http/httpcert.pem
install -m 400 -o tomcat -g tomcat httpkey.pem /etc/grid-security/http/httpkey.pem
install -m 444 -o rsvuser -g rsvuser rsvcert.pem /etc/grid-security/rsv/rsvcert.pem
install -m 400 -o rsvuser -g rsvuser rsvkey.pem /etc/grid-security/rsv/rsvkey.pem

Method 2: Command Line

The OSG Host/Service Certificates documentation demonstrates the installation of the tools used to generate and submit CSRs from the command line.

Personal tools