Deprecated: please see new documentation site.


Contents


LONI CA certificates for the Users/Other Certification Authorities (CAs)

LONI Certification Authority (CA) provides the CA public certificates intended for Browser and Grid related use by the users. For example:

  • Users can have their LONI certificates trusted by other Certification Authorities(CAs).
  • Users can import LONI CA public certificate into their browser to validate the server certificates of the LONI websites (eg., LONI Documentation pages) to ensure security.
  • Other Certification Authorities can use the LONI CA revocation list to maintain an updated version of active LONI CA issued certificates.

LONI CA (Root) Certificate:

Following are the different formatted versions of LONI CA (Root) Certificate:

File Type Format Url
CA Public/Root certificate Privacy Enhanced Mail (pem) format lonica.pem
Distinguished Encoding Rules(der) Format lonica.der
Browser Importable (crt) Format lonica.crt
Hashed File format a3bf9f3c.0

If you are interested in verifying the fingerprint on the certificate, make use of the following command:

[sirish@l2f1n03] [~]
<> openssl x509 -noout -fingerprint -sha1 -in /etc/grid-security/certificates/a3bf9f3c.0
SHA1 Fingerprint=36:AC:BA:80:63:6E:D7:5B:32:3F:0C:69:98:A6:23:C3:2B:C6:16:F7

You should see the above fingerprint only!.

Certificate Revocation List

Following are the different formatted versions of LONI CA certificate Revocation List:

File Type Format Url
Certificate Revocation List Privacy Enhanced Mail (pem) format loni_crl.pem
Distinguished Encoding Rules(der) Format loni_crl.der
Browser Importable (crt) Format loni_crl.crl
Hashed file format a3bf9f3c.r0

LONI CA Signing Policy

a3bf9f3c.signing_policy

Usage Scenarios

Importing LONI CA certificates into your Browser

For Internet Explorer:

  • Click on link.
  • Click Open.
  • Click "Install Certificate..."
  • Click Next twice.

For Firefox:

  • Click on the browser importable format link for the LONI CA public/root certificate.
  • Check the boxes depending on your needs.
  • Click Ok.

Importing LONI CA Revocation list into your Browser

For Internet Explorer:

  • Click on link.
  • Click Open.
  • Click "Install Certificate..."
  • Click Next twice.

For Firefox:

  • Click on the browser importable format link for the LONI CA published revocation list.
  • You will see a message that LONI CA certificate revocation list has been successfully imported. You will be asked whether to enable automatic updates. Click Yes.
  • Check the enable automatic updates option for the certificate revocation list. Add the Url of the certificate revocation list and click ok.

Getting your LONI Grid Certificate mapped onto machines with other CAs

You have to supply your Distinguished Name (DN) of the globus certificate to the CAs of the machines where you want your certificate to be mapped. To find your Distinguished Name, visit Your Grid Certificate Information. Provide this DN to the CA of the machine. In case the CA of the machine does not already trust LONI CA, you will have to provide the CA with LONI CA (root) certificate in the Hashed file format and the CA signing policy file in addition to your DN.

Adding LONI CA to your list of Trusted Certification Authorities

This means you want to add LONI CA to be trusted by your Globus installation. After configuring the Globus environment on your machine, add LONI CA Root certificate file in hashed file format and LONI CA Signing Policy file to the trusted certificates directory.

On an uncustomized Globus installation, this trusted certificates directory is usually /etc/grid-security/certificates

Setting up LONI CA Published Certificate Revocation list in your Globus Installation

After adding LONI CA to your list of trusted certificates directory or if you have already done so, place the LONI CA revocation list in hashed file format along with LONI CA Root certificate. For this:

  • Download the file at the Url for the hashed file format.
  • Rename it as named in the Url.
  • move it into globus trusted certificates directory.

On an uncustomized globus installation, this trusted certificates directory is usually /etc/grid-security/certificates.


Users may direct questions to sys-help@loni.org.

Powered by MediaWiki