532 | | 4. Get the identity from the GCF cert. |
533 | | |
534 | | 5. Create the CSR. |
535 | | {{{ |
536 | | }}} |
537 | | |
538 | | 6. Create the proxy certificate. |
539 | | |
540 | | 7. Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the same as the proxy cert generated by grid-proxy-init. |
541 | | |
542 | | 8. Copy the concatenated certificate to /tmp. |
| 532 | 4. Get the subject from the GCF certificate (alice-cert.pem) |
| 533 | {{{ |
| 534 | globus@pc:~/.globus$ openssl x509 -in alice-cert.pem -subject -noout |
| 535 | subject= /CN=geni//gpo//gcf.user.alice |
| 536 | }}} |
| 537 | |
| 538 | 5. Create the CSR using csr.conf provided by Ezra (see attached). Accept default answer for all except "Common Name" questions. |
| 539 | Give the subject (from previous step, do not include the 'CN=') and your own 8 digit number. |
| 540 | {{{ |
| 541 | globus@pc:~/.globus$ openssl req -new -config /tmp/csr.conf -out alice.csr -keyout alice-proxy.key |
| 542 | Generating a 1024 bit RSA private key |
| 543 | ........++++++ |
| 544 | .................++++++ |
| 545 | writing new private key to 'alice-proxy.key' |
| 546 | ----- |
| 547 | You are about to be asked to enter information that will be incorporated |
| 548 | into your certificate request. |
| 549 | What you are about to enter is what is called a Distinguished Name or a DN. |
| 550 | There are quite a few fields but you can leave some blank |
| 551 | For some fields there will be a default value, |
| 552 | If you enter '.', the field will be left blank. |
| 553 | ----- |
| 554 | Country Name "C" (2 letter code) []: |
| 555 | State Name "ST" (full name) []: |
| 556 | Locality Name "L" (eg, city) []: |
| 557 | Organization Name "O" (eg, company) []: |
| 558 | Organizational Unit Name "OU" (eg, section) []: |
| 559 | Common Name "CN" (eg, YOUR name) []:geni//gpo//gcf.user.alice |
| 560 | Email Address []: |
| 561 | Common Name "CN" (unique 8 digit number) []:12345678 |
| 562 | }}} |
| 563 | |
| 564 | This should produce the csr and key files specified on the command line. |
| 565 | |
| 566 | 6. Create the proxy certificate using the csr file generated in the previous step as well as alice-cert.pem and alice-key.pem. |
| 567 | {{{ |
| 568 | globus@pc:~/.globus$ openssl x509 -req -CAcreateserial -in alice.csr -days 7 -out alice_proxy.pem -CA alice-cert.pem -CAkey alice-key.pem -extfile /tmp/csr.conf -extensions v3_proxy |
| 569 | Signature ok |
| 570 | subject=/CN=geni//gpo//gcf.user.alice/CN=12345678 |
| 571 | Getting CA Private Key |
| 572 | }}} |
| 573 | |
| 574 | 7. Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the globus user id (id -u). |
| 575 | {{{ |
| 576 | globus@pc:~/.globus$ cat alice_proxy.pem > x509up_u20002 |
| 577 | globus@pc:~/.globus$ cat alice-proxy.key >> x509up_u20002 |
| 578 | globus@pc:~/.globus$ cat alice-cert.pem >> x509up_u20002 |
| 579 | }}} |
| 580 | |
| 581 | 8. Copy the concatenated certificate to /tmp and set the permissions to 0600. |
| 582 | {{{ |
| 583 | cp x509up_u20002 /tmp |
| 584 | chmod 600 /tmp/x509up_u20002 |
| 585 | }}} |
545 | | |
546 | | 10. Go back to the '''iRODS server''' and add the user authentication id. |
547 | | {{{ |
548 | | iadmin aua alice '/CN=geni//gpo//gcf.user.alice' |
| 588 | {{{ |
| 589 | globus@pc:~/.globus$ /usr/local/globus/bin/grid-proxy-info -f /tmp/x509up_u20002 |
| 590 | subject : /CN=geni//gpo//gcf.user.alice/CN=12345678 |
| 591 | issuer : /CN=geni//gpo//gcf.user.alice |
| 592 | identity : /CN=geni//gpo//gcf.user.alice/CN=12345678 |
| 593 | type : RFC 3820 compliant independent proxy |
| 594 | strength : 1024 bits |
| 595 | path : /tmp/x509up_u20002 |
| 596 | timeleft : 167:58:47 (7.0 days) |
| 597 | }}} |
| 598 | |
| 599 | 10. Go back to the '''iRODS server''' and add the user authentication id using the identity from the previous step. |
| 600 | {{{ |
| 601 | iadmin aua alice '/CN=geni//gpo//gcf.user.alice/CN=12345678' |