wiki:GENIDeveloper/ToolCertificates

Version 1 (modified by tmitchel@bbn.com, 5 years ago) (diff)

--

GENI Tool Certificates

GENI tools must communicate with GENI services (member authorities, slice authorities, aggregate managers, etc.) via SSL with a client-side certificate. Tools that run on the experimenter's computer can use the experimenter's certificate and private key for these communications because they are under the control of the experimenter. Tools that run on remote servers ("hosted tools"), like web-based tools or long-running services, should use their own certificate and private key for secure communications. When hosted tools want to invoke GENI services on behalf of experimenters they should use a "speaks-for" credential provided to them by the experimenter.

Requesting a tool certificate

Requesting a GENI tool certificate is easy. A GENI tool developer creates a certificate signing request (CSR) and associated private key. The CSR is sent to a GENI Clearinghouse for signing and a tool certificate is returned. This certificate contains the public key that matches the private key generated (or used) when the CSR was created.

  1. Choose a unique name for your tool and tool instance for the tool URN. The general form is tool-instance. For example, portal-gpo for the GENI Portal running at the GPO, or genidesktop-uky for the GENI Desktop running at the University of Kentucky.
    1. Specifics about allowed characters, maximum lengths, etc.
  2. Choose an email address for administrators of your tool. This will probably be an email list but could be the email address of an individual.
  3. Create a certificate signing request
    1. If you want to generate a new private key (preferred):
      openssl req -batch -new -newkey rsa:2048 -keyout PRIVATE_KEY_FILE -out CSR_FILE
      
    2. If you have a private key already:
      openssl req -batch -new -key PRIVATE_KEY_FILE -out CSR_FILE
      
  4. Create a ticket requesting a tool certificate
    1. Edit the summary to say something like "Sign CSR for YOUR_TOOL at YOUR_INSTANCE"
    2. Include the unique name (tool and instance) in the description
    3. Include the administrator email address in the description
    4. Include gpo-sw-dev@geni.net in the "Cc" field (done if you use the link above)
    5. Attach the CSR to the ticket
  5. We'll create a new certificate from the attached CSR and attach the resulting certificate to the ticket. You can then download the certificate and use it with the private key used when you created the CSR.