How To Use the InCommon IGTF Server CA with the Globus Toolkit

Introduction

The InCommon Certificate Service provides unlimited certificates to subscribers for a fixed annual fee. Since many universities in the United States are subscribers to this service, it is an attractive option for obtaining certificates for use with the Globus Toolkit. The InCommon IGTF Server CA provides certificates for grid computing.

Obtaining a Certificate for Use with Globus

To obtain a certificate from the InCommon IGTF Server CA for use with the Globus Toolkit, first generate a private key and certificate request. For example:

# openssl req -nodes -new -newkey rsa:2048 -sha256 -out req.pem -keyout hostkey.pem -subj "/CN=server1.example.edu"
# chmod 0600 hostkey.pem req.pem

Then request an "IGTF Server Cert" for "Tomcat" (for best compatibility) using the InCommon Certificate Manager. Copy and paste the contents of req.pem into the request window and select "Get CN from CSR". When your request is approved, download your certificate in "X509 Certificate Online" format and rename the downloaded file to hostcert.pem. Finally, install your hostkey.pem and hostcert.pem files in /etc/grid-security for use with the Globus Toolkit, backing up your existing files as needed:

# mv /etc/grid-security/hostcert.pem /etc/grid-security/hostcert.pem.bak.$$
# mv /etc/grid-security/hostkey.pem /etc/grid-security/hostkey.pem.bak.$$
# mv hostcert.pem hostkey.pem /etc/grid-security
# chown root.root /etc/grid-security/hostcert.pem /etc/grid-security/hostkey.pem
# chmod 0644 /etc/grid-security/hostcert.pem

To view your certificate, use the openssl x509 command:

# openssl x509 -text < /etc/grid-security/hostcert.pem

To verify that your private key matches your certificate, check that the Modulus values match:

if [ "`openssl x509 -in /etc/grid-security/hostcert.pem -noout -modulus`" = \
     "`openssl rsa -in /etc/grid-security/hostkey.pem -noout -modulus`" ]; \
     then echo "Match"; else echo "Different"; fi

Configuring Globus to Trust the InCommon IGTF Server CA

Install the IGTF CA distribution or XSEDE CA distribution or OSG CA distribution to configure the Globus Toolkit to trust the InCommon IGTF Server CA.