Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#1250 closed (fixed)

Sign CSR for ExoGENI generic collector cert

Reported by: jonmills@renci.org Owned by: tmitchel@bbn.com
Priority: blocker Milestone:
Component: GPO Version: SPIRAL6
Keywords: Cc: gpo-sw-dev@geni.net
Dependencies:

Description (last modified by tmitchel@bbn.com)

Please send the signed server cert directly back to jonmills@renci.org.

Administrator email: exogeni-ops@renci.org

-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJv
bGluYTEUMBIGA1UEBwwLQ2hhcGVsIEhpbGwxDjAMBgNVBAoMBVJFTkNJMRAwDgYD
VQQLDAdFeG9HRU5JMRIwEAYDVQQDDAljb2xsZWN0b3IxJDAiBgkqhkiG9w0BCQEW
FWV4b2dlbmktb3BzQHJlbmNpLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMqs63Ps/scwsoX3l4ZOahjeAv13KisZRtDQuAgRD5h/otH6D0jhRcrK
N1eT28Yq8vuzVWnXqMdgr9m6z9guSNmIfavPWkUTC8ZiNLrc2Tr4yiYNM4zR+qpx
esze7i4xkuSecnww/LMq7gY+e+iKO34XjqpefZkQ8O4oOXRSqsNL5hdqpDsdQDvg
hhSqVI1mu1RVs/TVkH0XaCmEoEt4A5R6oooSMWjxAdDMA1nm5ADX2Qs0rK/aRrNx
4pJu/gCqaBwnWOFi9tVFXkagpuKWT6pgulQIpy39jHTPJmkxGRgIHDk08H9PBpic
JQFzTLqm+IsPb7fRU026oKV/wsSgIesCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IB
AQAb38U6SbB9gLH/K+AaSowdQPZ4Uu3hVfpEJsm7f6ka4X8gLAGmdTc5ddCQq4gw
lWIEHwogLc9e9PLFT6fbGSIBgjYzayZj8bNcAoFpV1YT03K5OE7M4ft1mrLc00JA
fFIYbFySSORjhp6mngeId3+42IDqwvoJLLvh+5O7EjcC5RwgNGAn5by3qvIPFRfV
gvuUp95Cg1F+wTrUBW9vu1D/aF6aCso5UU4uBqM2OQMhnhWvVvRh3GsXAQPrHIWX
rf97BH+mQB/9BcjgmOCO46P6mqLs/fmE0cFNzlFf1SiIH9zbVEJp3uG1ROssKt7Q
ifiGah6Qc0w9jz1+64AIpLLy
-----END CERTIFICATE REQUEST-----

Attachments (2)

collector-exogeni.pem (2.5 KB) - added by tmitchel@bbn.com 6 years ago.
collector-exogeni.2.pem (2.5 KB) - added by tmitchel@bbn.com 5 years ago.

Download all attachments as: .zip

Change History (15)

comment:1 Changed 6 years ago by tmitchel@bbn.com

Owner: changed from somebody to tmitchel@bbn.com
Status: newaccepted

comment:2 Changed 6 years ago by tmitchel@bbn.com

Call this collector-exogeni.

comment:3 Changed 6 years ago by jonmills@renci.org

Okay try this one:

-----BEGIN CERTIFICATE REQUEST-----
MIIC5jCCAc4CAQAwgaAxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJv
bGluYTEUMBIGA1UEBwwLQ2hhcGVsIEhpbGwxDjAMBgNVBAoMBVJFTkNJMRAwDgYD
VQQLDAdFeG9HRU5JMRowGAYDVQQDDBFjb2xsZWN0b3ItZXhvZ2VuaTEkMCIGCSqG
SIb3DQEJARYVZXhvZ2VuaS1vcHNAcmVuY2kub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAupB+8t6XGcj0AbOq8X+zBEnlPeCOX/slipZFcsMatgLt
YfDDAVGXkcFZSS4by+uxsUjzSHrm54CdHE7TzpKbJPLkfwLl9jjDvvgyWhfQ/Fc2
csX8exTF3oVPKjGbBSOSKNAOEMx4a2/A6+MtgSMdHbh+QyspNJBouARDBRpzV2EB
8fqIaDawj3ZcppYMlLry8jTRwqSRC5HECi2cqFo4Qw+JgHUutmY446zDu0Jn5Rm2
MJnvT1FZimHMqluW15VtxvE4QHYBDzPvasTEFy1snsMG5cbjWx1KidO5ngKmcym6
OCtAzhSfw9YlTHoVthDsgjGWQrD3VVOoH2xelu5hFwIDAQABoAAwDQYJKoZIhvcN
AQEFBQADggEBAInEM3Jvl0dWuXoo5eRzZu1IIEG3Cvsy8nk3aKUL2HnASS2CV3OJ
cAGJmoKXWrv6vzvwOtNuTMAP+Q7MRf5+Jzl9Tmn+1JSalty2xFwxoRLcRpQlXUZS
+4ZyWSxsEaNIQxYTYDAU4ycJUw2cE09+Z1O/bls/nfjLQ/vlFwbff559zIwWvbVF
5Z0cUSwbmqaH6bHCm15MTtK0P3GxVuJMjWFvBaKqo6WwcnCTTvq6oLLvpio8ht+W
aAocJju34IPWA5Nk3rc8oHkxAejWRRpgxL0hDNaqQd67hjesOI2tadu3YcEeDtST
6BcqGN6ln4/RszAOWLdHnGnrxVWnQAsTHCI=
-----END CERTIFICATE REQUEST-----

comment:4 Changed 6 years ago by jonmills@renci.org

Any update on this?

comment:5 Changed 6 years ago by tmitchel@bbn.com

No update yet. It's in the queue for today.

comment:6 Changed 6 years ago by tmitchel@bbn.com

What email address should be embedded in the certificate? For info, see step 2 under wiki:GENIDeveloper/ToolCertificates#Requestingatoolcertificate regarding email address for administrators.

comment:7 in reply to:  6 Changed 6 years ago by dwiggins@bbn.com

Replying to tmitchel@…:

What email address should be embedded in the certificate? For info, see step 2 under wiki:GENIDeveloper/ToolCertificates#Requestingatoolcertificate regarding email address for administrators.

Johnathon says this address was in the CSR.

comment:8 Changed 6 years ago by tmitchel@bbn.com

Good. Unfortunately it's not on the ticket and we overwrite what's in the CSR, using the CSR only for the public key. I'll see if I can dig into the CSR for that info.

comment:9 Changed 6 years ago by tmitchel@bbn.com

Description: modified (diff)

Changed 6 years ago by tmitchel@bbn.com

Attachment: collector-exogeni.pem added

comment:10 Changed 6 years ago by tmitchel@bbn.com

Resolution: fixed
Status: acceptedclosed

The certificate is attached. Note the certificate expires on "Sep 4 17:36:29 2014 GMT".

comment:11 Changed 6 years ago by jonmills@renci.org

This was how I created the cert:

[root@rci-hn ~]# openssl req -new -newkey rsa:2048 -nodes -keyout opsmon.key -out opsmon.csr Generating a 2048 bit RSA private key ...........................................................................................................+++ ...........+++ writing new private key to 'opsmon.key'


You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.


Country Name (2 letter code) [XX]:US State or Province Name (full name) []:North Carolina Locality Name (eg, city) [Default City]:Chapel Hill Organization Name (eg, company) [Default Company Ltd]:RENCI Organizational Unit Name (eg, section) []:ExoGENI Common Name (eg, your name or your server's hostname) []:collector-exogeni Email Address []:exogeni-ops@renci.org

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

comment:12 Changed 6 years ago by jonmills@renci.org

Let's try that again with better formatting:

[root@rci-hn ~]# openssl req -new -newkey rsa:2048 -nodes -keyout opsmon.key -out opsmon.csr
Generating a 2048 bit RSA private key
...........................................................................................................+++
...........+++
writing new private key to 'opsmon.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Chapel Hill
Organization Name (eg, company) [Default Company Ltd]:RENCI
Organizational Unit Name (eg, section) []:ExoGENI
Common Name (eg, your name or your server's hostname) []:collector-exogeni
Email Address []:exogeni-ops@renci.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

comment:13 Changed 6 years ago by tmitchel@bbn.com

Thanks for the info. We ignore everything in the CSR except for the public key. We do not just sign the provided CSR. We use a different set of information that goes into the tool certificate. This information includes a GENI URN for the tool, for instance.

Changed 5 years ago by tmitchel@bbn.com

Attachment: collector-exogeni.2.pem added
Note: See TracTickets for help on using tickets.