Transcript Slides

Co-ordination & Harmonisation of
Advanced e-Infrastructures
for Research and Education Data Sharing
Research Infrastructures
Grant Agreement n. 306819
RA Registration
Christos Kanellopoulos GRNET
SAGrid All-Hands Meeting, 26 March 2013
Overview
“SEE-GRID CA is a Certification Authority managed and operated by
the GRNET S.A., coordinator of the Greek National Grid Initiative, in
cooperation with the Scientific Computing Center at the Aristotle
University of Thessaloniki.”
2
History
July 2004 and April 2010, SEE-GRID CA had been operating in the
context of the SEE-GRID Regional Grid Infrastructure project series
(SEE-GRID-I 2004-2006, SEE-GRID-II 2006-2008, SEE-GRID-SCI
2008-2010) with the mandate to provide catch all PKI services to the
wider region of South Eastern Europe in order to facilitate the needs of
distributed computing and pave the way for the countries in the region to
establish their own national Public Key Infrastructure and guide them
through the IGTF accreditation process
Since May 2010, SEE-GRID CA provides Catch-All PKI services for the
European Grid Initiative (EGI.eu) in the context of EGI-InSPiRe Project.
3
Registration Authorities

The procedures of identification and authentication of the certificate applicants
are performed by trusted individuals (Registration Authorities), appointed by the
SEE-GRID CA.
Country
Registration Authority / Organization
Greece
GRNET
Albania
Polytechnic University of Tiranata
Bosnia and Herzegovina University of Banja Luka
Bosnia and Herzegovina University of Sarajevo
Georgia
GRENA
Azerbaijan
National Academy of Sciences
Senegal
University Chaukh Anta DIOP
Switzerland
SixSq
4
How to Create a Registration Authority

In order to setup a SEE-GRID CA Registration
Authority:


an official request from a legal representative of the
Institute or Organization

The formal name of the institute

The person (name, contact information) of the person who
will act as the RA Manager for the Institute/Organization

The person(s) (name, contact information) who will act as
the RA operator(s) for the institute
A template for the request letter can be found here:

http://see-grid-ca.hellasgrid.gr/assets/SEE-GRID-CA-RA-Assignment.docx
5
How to Create a Registration Authority

The request must be sent to the SEE-GRID CA
headquarters by mail
as this usually delays the procedure, we ask the applicants
to send us also a scanned version via email in order to speed
up the process.
When we receive the e-mail, we can organize a video
call with the applicant in order to finalize the process



The RA Manager should be staff of the
Institute/Organization

{S}he will be the main contact point between SEE-GRID
CA and the Institute/Organization.

The RA manager can appoint one or more RA
Operator(s) who will perform the day to day tasks
6
How to Create a Registration Authority

The RA operator is technical role. Has the duty to:



schedule face to face meetings with applicants in order to validate
their requests,
keep the necessary records and forward the validated requests to
the SEE-GRID CA.
It it not uncommon that the RA Manager also performs the duties
of the RA Operator where the number of certificate requests does
not justify the allocation of more resources
7
Identity Vetting

Physical Person:

The subject must contact the RA in person, in order to have his/her
identity vetted and to verify the validity of the request.

The authentication of the subject is performed through the
presentation of a valid photo ID document or passport.

In cases where the subject resides in a remote geographical
location and access to an RA is not possible, identity vetting may
be performed via video call.

In this case, an authenticated photocopy of the required document
(ID document or passport must be delivered by mail or courier
service to the RA prior to this online meeting.

Authenticated photocopy refers to the verification made by a legally
accepted notary public under the law of the country where the RA
operates
8
Identity Vetting

Digital Processing Entity or Service

The entity must already have a valid DNS entry and be in the
administration domain of the applicant.

The system administrator requesting the certificate must use
his/her personal certificate, issued by an IGTF accredited CA,

to authenticate to the SEE-GRID CA web portal or digitally sign the
e-mail in order to submit the certificate request
9
Identity Vetting

Robot:

At least one of the responsible persons for the operations of the
Robot must use his/her personal certificate to digitally sign the email in order to submit the certificate request.
10
How to generate a Certificate Request

In order to generate a Certificate Request you need access to a machine with
OpenSSL installed
$ openssl req -newkey rsa:2048 –subj
> "/DC=EU/DC=EGI/C={Country Code}/O={People|Hosts}/O={Institution Name}/
> CN={Firstname Lastname}"
> -out cert_request.pem

Substitute {Country Code} with the two letter ISO 3166-1 Alpha-2 code of the country
in capital letters.

Substitute {People|Hosts} with People if this request is for a personal certificate or
Hosts if the request os made for a host, service or robot certificate.

Substitute {Institution Name} with the full name of your institution (for example Greek
Research and Technology Network)

Substitute {Firstname Lastname} with your First and Last name. You may add your
initials in between the First and Last name if you desire.
11
Further Information

How to set up a new SEE-GRID CA Registration Authority


How to change over a SEE-GRID CA Registration Authority


http://see-grid-ca.hellasgrid.gr/pages/setting-up-a-see-grid-caregistration-authority
http://see-grid-ca.hellasgrid.gr/pages/change-over-a-see-grid-caregistration-authority
How to create a certificate request

http://see-grid-ca.hellasgrid.gr/pages/certificate-requests/
12