14. Appendix: recommended host CAs¶
14.1. Using InCommon¶
For a fixed annual fee, InCommon will issue unlimited host certificates to its member institutions. If your institution is an InCommon subscriber, you can use a host certificate issued by InCommon. Open Science Grid has created tools for working with InCommon CA.
You can use OSG PKI tools to generate the certificate signing request, and then submit it to InCommon for signing. For more information, see OSG documentation on InCommon.
To generate a Certificate Signing Request (CSR) and a host key, you
will need the osg-cert-request
tool from osg-pki-tools
package, available in osg
repository. This CSR will be signed by
InCommon CA. Follow the steps below:
1. Use instructions in OSG documentation for enabling the osg
repository for RHEL and derivatives, and then install the package:
$ sudo yum install osg-pki-tools
Generate a CSR and private key using the
osg-cert-request
tool:
$ osg-cert-request --hostname $HOST \
--country $COUNTRY \
--state $STATE \
--locality $LOCALITY \
--organization $ORGANIZATION
If successful, the CSR will be named $HOSTNAME.req
and the private
key will be named $HOSTNAME-key.pem
.
3. Find your institution’s InCommon contact , and submit the CSR that
you generated above to them. Request a 1-year IGTF Server
Certificate
for OTHER
server software.
4. Download the host certificate only (not the full chain) signed by your institution, and copy it to the host, along with key you generated above.
Verify that the issuer
CN
field isInCommon IGTF Server CA
:
$ openssl x509 -in <PATH TO CERTIFICATE> -noout -issuer
issuer= /C=US/O=Internet2/OU=InCommon/CN=InCommon IGTF Server CA
6. Install the host certificate and key, with the right permissions
and ownership. Assuming that you copied hostcert.pem
and
hostkey.pem
to your home directory:
$ sudo cp ~/hostcert.pem /etc/grid-security/hostcert.pem
$ sudo cp ~/hostkey.pem /etc/grid-security/hostkey.pem
$ sudo chown root:root /etc/grid-security/hostcert.pem /etc/grid-security/hostkey.pem
$ sudo chmod 444 /etc/grid-security/hostcert.pem
$ sudo chmod 400 /etc/grid-security/hostkey.pem
14.2. Using LetsEncrypt¶
LetsEncrypt is a Certificate Authority that offers free and automated certificates. Certificates issued by LetsEncrypt are trusted by most browsers and operating system.
Install certbot package.
On RHEL derivatives, install cerbot from the epel
repository
$ sudo yum install epel-release
$ sudo yum install certbot
On Ubuntu systems, install certbot with:
$ sudo apt install certbot
2. Run the following command to obtain a host certificate with Let’s Encrypt:
$ sudo certbot certonly --standalone --email $ADMIN_EMAIL -d $HOST
Once the above command is finished, a key and LetsEncrypt-issued certificate will be installed in the following paths:
/etc/letsencrypt/live/$HOST/privkey.pem
/etc/letsencrypt/live/$HOST/cert.pem
3. Make symbolic links to the below paths, respectively:
/etc/grid-security/hostkey.pem
/etc/grid-security/hostcert.pem
Run the below commands to make the symbolic links:
$ sudo ln -s /etc/letsencrypt/live/$HOST/cert.pem /etc/grid-security/hostcert.pem
$ sudo ln -s /etc/letsencrypt/live/$HOST/privkey.pem /etc/grid-security/hostkey.pem
$ sudo chmod 0600 /etc/letsencrypt/archive/$HOST/privkey*.pem
14.3. Using SimpleCA¶
Alternatively, you can use SimpleCA to generate and issue your own host certificates by following the instructions:
Choose a node, for example,
ca-node.example.net
, to install and run SimpleCA.Set up a SimpleCA instance on
ca-node.example.net
:$ sudo yum install globus-simple-ca
This package’s post-install scripts will generate the necessary setup in
/var/lib/globus/simple_ca/
.On
ca-node.example.net
, run the commandgrid-ca-package
to generate a package for the Simple CA root certificate.On RHEL and derivatives, you can do:
$ grid-ca-package -r The available CA configurations installed on this host are: Directory: /etc/grid-security/certificates [... elided ...] 7) 72e85ee6 - /O=Grid/OU=GlobusTest/OU=simpleCA-certs.fnal.gov/CN=Globus Simple CA [... elided ...] Enter the index number of the CA to package [q to quit]: 7 Creating RPM source tarball... done globus_simple_ca_72e85ee6.tar.gz Creating RPM binary... [... elided ...] $ ls globus* globus-simple-ca-72e85ee6-1.0-1.el7.noarch.rpm globus_simple_ca_72e85ee6.tar.gzOn Ubuntu (or Debian), you can do:
$ grid-ca-package -d
Install SimpleCA root certificate package in hosts
Copy the generated package from
ca-node.example.net
to your other nodes, and install them locally usingrpm
ordpkg
command.This should install our SimpleCA root certficate in
/etc/grid-security/certficates
.If you have nodes running Ubuntu or Debian, use Alien to convert the RPM package to a DEB package.
Generate a host certificate request
$ mkdir -p ~/certs/nci/${host} $ cd ~/certs/nci/${host} $ grid-cert-request -dir `pwd` -host ${host} -ip ${IPv4}
Replace
${host}
with the host’s DNS name, and${IPv4}
with its IPv4 address. If the host does not have a DNS name, omit-host ${host}
from arguments togrid-cert-request
.Copy
hostcert_request.pem
toca-node.example.net
.At
ca-node.example.net
, sign the host certificate request:$ sudo grid-ca-sign -in hostcert_request.pem -out hostsigned.pem
Verify the certificate:
$ openssl x509 -in hostsigned.pem -text | head -n 12
The signed host certificate is named
hostsigned.pem
.Please rename it tohostcert.pem
:$ mv hostsigned.pem hostcert.pem
Intall host certificate in the host
Once
hostkey.pem
andhostcert.pem
are ready, copy them to the folder/etc/grid-security
in the host, with appropriate permissions:$ cd /etc/grid-security $ sudo chown root:root hostcert.pem hostkey.pem $ sudo chmod 0600 hostkey.pem $ sudo chmod 0644 hostcert.pem