Installing SimpleCA

We are now going to install a very simple Certificate Authority, appropriately called SimpleCA, developed by the folks at Globus. We'll use SimpleCA to create certificates for the globus account and our user account. Bear in mind that, although it is very easy to use, it might not be appropriate for production systems. Consider OpenCA as a more powerful alternative. Also, in case you don't want to install a root CA in your organization, and use a more widely known one, you can find a list of academic CAs here.

However, bear in mind that the tutorial is written with SimpleCA in mind. Even so, you should have no problem switching to a different CA once you've completed the examples and understood how GT3 manages certificates.

Download SimpleCA

First of all, you need to download SimpleCA. You can do so here.

Building SimpleCA

Once you've downloaded the SimpleCA installation package (a file called globus_simple_ca-latest-src_bundle.tar.gz), you have to run the following command from the directory where you've downloaded the file:

$GLOBUS_LOCATION/sbin/gpt-build globus_simple_ca-latest-src_bundle.tar.gz gcc32dbg

This builds the SimpleCA package, and outputs a couple of status messages. Don't worry if you see the following message: make: *** No rule to make target `distclean'. Stop.. It is perfectly normal.

Setting up SimpleCA

Now that SimpleCA has been built, we need to run a post-install script to set it up. Just run the following command:

$GLOBUS_LOCATION/sbin/gpt-postinstall

You'll should see the following output:

    C e r t i f i c a t e    A u t h o r i t y    S e t u p

This script will setup a Certificate Authority for signing Globus
users certificates.  It will also generate a simple CA package
that can be distributed to the users of the CA.

The CA information about the certificates it distrubtes will
be kept in:

$GLOBUS_USER_HOME/.globus/simpleCA/

The unique subject name for this CA is:

cn=Globus Simple CA, ou=simpleCA-localhost, ou=GlobusTest, o=Grid

Do you want to keep this as the CA subject (y/n) [y]:

The script is asking us to define the subject that will appear in the CA's digital certificate. Remember that this is a special self-signed certificate which will identify the CA, and which can be used to verify the validity of certificates signed by the CA. Although you can certainly keep the default subject name, we're going to change it. Answer 'n' to the question. You should now see this:

Enter a unique subject name for this CA:

We will use the following subject name:

cn=Globus Simple CA, ou=GT3 Tutorial, o=Globus

Now you should see the following:

Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA):

You can enter any e-mail you want, since we're not actually going to use it. When we start requesting certificates, this is the e-mail we're supposed to send the certificate request to. However, since we're working on a single machine, we'll be able to do the whole process in the comfort of our own hard disk.

Once you've entered the e-mail address, you should see the following:

The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid.  A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires.  This can be done
by re-running this setup script.  Enter the number of DAYS
the CA certificate should last before it expires.
[default: 5 years (1825 days)]

We won't be too concerned about the expiration date of the CA certificate, so we can safely press enter here to select the default value (5 years).

Now, the install script will start generating the certificate:

Using configuration from /home/globus/.globus/simpleCA//grid-ca-ssl.conf
Generating a 1024 bit RSA private key
............................++++++
.............++++++
writing new private key to '/home/globus/.globus/simpleCA//private/cakey.pem'

However, when the install script comes to the point where it must generate the certificate's private key, it will ask you for a password. Remember, the private key must be known only by the certificate's owner (in this case, the CA), and what better way to ensure this than by protecting it with a password.

Enter PEM pass phrase:

Enter any password. To avoid confusion with other password we will be using, I suggest you simply enter the following password: simpleca. However, if you plan to use this CA in a production environment, feel free to enter any password. You will be asked to repeat it:

Verifying password - Enter PEM pass phrase:

Any time we need to access the CA's private key, we will need to provide this password. For example, since the private key is needed to digitally sign certificates, we'll need to provide the password each time the CA issues a certificate.

After you enter the password and confirm it, you will be asked no more questions. You will see a rather lengthy output which you can safely ignore. However, let's take a look a close look at some particular messages which basically confirm that we've successfully set up a CA

First off, take a look at this:

A self-signed certificate has been generated
for the Certificate Authority with the subject:

/O=Globus/OU=GT3 Tutorial/CN=Globus Simple CA

If this is invalid, rerun this script

$GLOBUS_LOCATION/setup/globus/setup-simple-ca

and enter the appropriate fields.

-------------------------------------------------------------------

The private key of the CA is stored in $GLOBUS_USER_HOME/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in $GLOBUS_USER_HOME/.globus/simpleCA//cacert.pem

This message confirms that the CA's certificate has, in fact, been created. We are also told where the certificate can be found, along with the private key. If you try to open the certificate, you'll see that its contents look like gibberish. If you want to take a peek at all the values it contains, you can use a very handy tool included with the toolkit called grid-cert-info:

grid-cert-info -file ~/.globus/simpleCA/cacert.pem

You will also see the following message in the final output, which tell us that the setup isn't quite complete yet:

Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:

$GLOBUS_LOCATION/setup/globus_simple_ca_24d355a5_setup/setup-gsi

You should also see the same message telling you that you should run $GLOBUS_LOCATION/setup/globus/setup-gsi to complete setup. We'll get to that in a second. The setup-gsi finishes the setup of GSI on our system. To do this, it creates a set of configuration files in the /etc directory, so this command should be run as root. However, in systems without root access, you can use a -noroot argument to specify an alternate location which is non-root writable. Let's suppose you do have root access, and run the command:

$GLOBUS_LOCATION/setup/globus_simple_ca_24d355a5_setup/setup-gsi

You should see the following:

   G S I   :   C O N F I G U R A T I O N   P R O C E D U R E


Before you use the Grid Security Infrastructure, you should first
define the DN (distinguished name) that should be used for your
organization's X509 certificates.  If you do not define a DN,
a default DN will be assigned to you.

This script will ask some questions about site specific
information. This information is used to configure
the Grid Security Infrastructure for your site.

For some questions, a default response is given in [].
Pressing RETURN in response to such a question will enable the default.
This script will overwrite the file --

     /etc/grid-security/certificates//grid-security.conf.24d355a5


Do you wish to continue (y/n) [y] :

Answer yes. You should now see the following:

========================================================================

(1) Base DN for user certificates
         [ ou=,  ou=GT3 Tutorial, o=Globus ]
(2) Base DN for host certificates
         [  ou=GT3 Tutorial, o=Globus ]

========================================================================
(q) save, configure the GSI and Quit
(c) Cancel (exit without saving or configuring)
(h) Help
========================================================================

The script asks us to provide a distinguished name which will be the base for user and host certificates (issued by the CA). Although we can change these names, we'll simply accept the default ones. Notice how the OU (Organizational Unit) and O (Organization) are the same as the CA's OU and O (specified earlier while installing SimpleCA). To continue, answer 'q'.

We are very nearly finished setting up SimpleCA. Before moving on to the very last step, remember there was also a message asking you to run /usr/local/gt3/setup/globus/setup-gsi. We won't be running this script because its purpose is to enable our system to work with the Globus CA, which is no longer active. We will only be working with our SimpleCA.

Setting up the default CA

The only thing left to do is to configure our system so that it will use the SimpleCA we just installed as the default CA. We can do this simply by running the following from the root account:

$GLOBUS_LOCATION/bin/grid-default-ca

You should see the following:

The available CA configurations installed on this host are:

1) 24d355a5 -  /O=Globus/OU=GT3 Tutorial/CN=Globus Simple CA
/bin/ls: /etc/grid-security//grid-security.conf: No such file or directory

The default CA is:


Enter the index number of the CA to set as the default:
[Note]

Don't worry about the No such file or directory message. It's due to the fact that we haven't chosen a default CA yet. Type in 1 to make our SimpleCA the default CA.

Summing up...

Where do we stand right now? Well, we now have a fully functional CA working on our computer (Yay!). This Certificate Authority is managed by the globus user. We are now ready to request certificates to our CA. We can do this from the machine that hosts the CA, or from other machines. If you are going to request a certificate from a different machine, you'll need to read the following page. Otherwise, you can safely skip it.