Sign CSR for ExoGENI generic collector cert

[jonmills@renci.org]

Please send the signed server cert directly back to ​jonmills@renci.org.

Administrator email: ​exogeni-ops@renci.org

-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJv
bGluYTEUMBIGA1UEBwwLQ2hhcGVsIEhpbGwxDjAMBgNVBAoMBVJFTkNJMRAwDgYD
VQQLDAdFeG9HRU5JMRIwEAYDVQQDDAljb2xsZWN0b3IxJDAiBgkqhkiG9w0BCQEW
FWV4b2dlbmktb3BzQHJlbmNpLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMqs63Ps/scwsoX3l4ZOahjeAv13KisZRtDQuAgRD5h/otH6D0jhRcrK
N1eT28Yq8vuzVWnXqMdgr9m6z9guSNmIfavPWkUTC8ZiNLrc2Tr4yiYNM4zR+qpx
esze7i4xkuSecnww/LMq7gY+e+iKO34XjqpefZkQ8O4oOXRSqsNL5hdqpDsdQDvg
hhSqVI1mu1RVs/TVkH0XaCmEoEt4A5R6oooSMWjxAdDMA1nm5ADX2Qs0rK/aRrNx
4pJu/gCqaBwnWOFi9tVFXkagpuKWT6pgulQIpy39jHTPJmkxGRgIHDk08H9PBpic
JQFzTLqm+IsPb7fRU026oKV/wsSgIesCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IB
AQAb38U6SbB9gLH/K+AaSowdQPZ4Uu3hVfpEJsm7f6ka4X8gLAGmdTc5ddCQq4gw
lWIEHwogLc9e9PLFT6fbGSIBgjYzayZj8bNcAoFpV1YT03K5OE7M4ft1mrLc00JA
fFIYbFySSORjhp6mngeId3+42IDqwvoJLLvh+5O7EjcC5RwgNGAn5by3qvIPFRfV
gvuUp95Cg1F+wTrUBW9vu1D/aF6aCso5UU4uBqM2OQMhnhWvVvRh3GsXAQPrHIWX
rf97BH+mQB/9BcjgmOCO46P6mqLs/fmE0cFNzlFf1SiIH9zbVEJp3uG1ROssKt7Q
ifiGah6Qc0w9jz1+64AIpLLy
-----END CERTIFICATE REQUEST-----

[tmitchel@bbn.com]

Call this collector-exogeni.

[jonmills@renci.org]

Okay try this one:

-----BEGIN CERTIFICATE REQUEST-----
MIIC5jCCAc4CAQAwgaAxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJv
bGluYTEUMBIGA1UEBwwLQ2hhcGVsIEhpbGwxDjAMBgNVBAoMBVJFTkNJMRAwDgYD
VQQLDAdFeG9HRU5JMRowGAYDVQQDDBFjb2xsZWN0b3ItZXhvZ2VuaTEkMCIGCSqG
SIb3DQEJARYVZXhvZ2VuaS1vcHNAcmVuY2kub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAupB+8t6XGcj0AbOq8X+zBEnlPeCOX/slipZFcsMatgLt
YfDDAVGXkcFZSS4by+uxsUjzSHrm54CdHE7TzpKbJPLkfwLl9jjDvvgyWhfQ/Fc2
csX8exTF3oVPKjGbBSOSKNAOEMx4a2/A6+MtgSMdHbh+QyspNJBouARDBRpzV2EB
8fqIaDawj3ZcppYMlLry8jTRwqSRC5HECi2cqFo4Qw+JgHUutmY446zDu0Jn5Rm2
MJnvT1FZimHMqluW15VtxvE4QHYBDzPvasTEFy1snsMG5cbjWx1KidO5ngKmcym6
OCtAzhSfw9YlTHoVthDsgjGWQrD3VVOoH2xelu5hFwIDAQABoAAwDQYJKoZIhvcN
AQEFBQADggEBAInEM3Jvl0dWuXoo5eRzZu1IIEG3Cvsy8nk3aKUL2HnASS2CV3OJ
cAGJmoKXWrv6vzvwOtNuTMAP+Q7MRf5+Jzl9Tmn+1JSalty2xFwxoRLcRpQlXUZS
+4ZyWSxsEaNIQxYTYDAU4ycJUw2cE09+Z1O/bls/nfjLQ/vlFwbff559zIwWvbVF
5Z0cUSwbmqaH6bHCm15MTtK0P3GxVuJMjWFvBaKqo6WwcnCTTvq6oLLvpio8ht+W
aAocJju34IPWA5Nk3rc8oHkxAejWRRpgxL0hDNaqQd67hjesOI2tadu3YcEeDtST
6BcqGN6ln4/RszAOWLdHnGnrxVWnQAsTHCI=
-----END CERTIFICATE REQUEST-----

[jonmills@renci.org]

Any update on this?

[tmitchel@bbn.com]

No update yet. It's in the queue for today.

[tmitchel@bbn.com]

What email address should be embedded in the certificate? For info, see step 2 under wiki:GENIDeveloper/ToolCertificates#Requestingatoolcertificate regarding email address for administrators.

[dwiggins@bbn.com]

Replying to tmitchel@…:

What email address should be embedded in the certificate? For info, see step 2 under wiki:GENIDeveloper/ToolCertificates#Requestingatoolcertificate regarding email address for administrators.

Johnathon says this address was in the CSR.

[tmitchel@bbn.com]

Good. Unfortunately it's not on the ticket and we overwrite what's in the CSR, using the CSR only for the public key. I'll see if I can dig into the CSR for that info.

[tmitchel@bbn.com]

The certificate is attached. Note the certificate expires on "Sep 4 17:36:29 2014 GMT".

[jonmills@renci.org]

This was how I created the cert:

[root@rci-hn ~]# openssl req -new -newkey rsa:2048 -nodes -keyout opsmon.key -out opsmon.csr Generating a 2048 bit RSA private key ...........................................................................................................+++ ...........+++ writing new private key to 'opsmon.key'

---

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [XX]:US State or Province Name (full name) []:North Carolina Locality Name (eg, city) [Default City]:Chapel Hill Organization Name (eg, company) [Default Company Ltd]:RENCI Organizational Unit Name (eg, section) []:ExoGENI Common Name (eg, your name or your server's hostname) []:collector-exogeni Email Address []:​exogeni-ops@renci.org

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

[jonmills@renci.org]

Let's try that again with better formatting:

[root@rci-hn ~]# openssl req -new -newkey rsa:2048 -nodes -keyout opsmon.key -out opsmon.csr
Generating a 2048 bit RSA private key
...........................................................................................................+++
...........+++
writing new private key to 'opsmon.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Chapel Hill
Organization Name (eg, company) [Default Company Ltd]:RENCI
Organizational Unit Name (eg, section) []:ExoGENI
Common Name (eg, your name or your server's hostname) []:collector-exogeni
Email Address []:exogeni-ops@renci.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[tmitchel@bbn.com]

Thanks for the info. We ignore everything in the CSR except for the public key. We do not just sign the provided CSR. We use a different set of information that goes into the tool certificate. This information includes a GENI URN for the tool, for instance.