DOEGrid Certificates

  1. Do this work in /full/path/to/certs (defined in Configure SSL)
  2. If you are at Fermilab, use these instructions.
  3. openssl req -new > new.cert.csr
    Your answers to the questions are crucial.
    DOE will simply reject the request if it does not recognize the organization and organizational unit. (The OU is probably "Services".)
    Please check with your institution.
    The "Common Name" is the name of your webserver (e.g., myserver.some.domain).
         Generating a 1024 bit RSA private key
         writing new private key to 'privkey.pem'
         Enter PEM pass phrase:
         Verifying - Enter PEM pass phrase:
         You are about to be asked to enter information that will be incorporated
         into your certificate request.
         What you are about to enter is what is called a Distinguished Name or a DN.
         There are quite a few fields but you can leave some blank
         For some fields there will be a default value,
         If you enter '.', the field will be left blank.
         Country Name (2 letter code) [GB]: My Country
         State or Province Name (full name) [Berkshire]: My State
         Locality Name (eg, city) [Newbury]: My Town
         Organization Name (eg, company) [My Company Ltd]: FOLLOW YOUR INSTITUTION'S INSTRUCTIONS
         Organizational Unit Name (eg, section) []: Services
         Common Name (eg, your name or your server's hostname) []: myserver.some.domain
         Email Address []: myemail@some.domain
         Please enter the following 'extra' attributes
         to be sent with your certificate request
         A challenge password []:  EMPTY FOR DOE
         An optional company name []:
  4. The previous step creates both new.cert.csr and privkey.pem.
  5. Remove the passphrase from the key:
    openssl rsa -in privkey.pem -out new.cert.key
  6. Go to the DOEgrids Certificate Manager
  7. Click on the "Grid or SSL Server" link
  8. Cut & paste the new.cert.csr data into the "PKCS #10 Request" field on the form. Fill out the rest of the information and submit.

DocDB License