Certificats

Table of Contents Autorité de certification Gestion d'un CA OpenSSL utils Tests insertion

Autorité de certification

• Extraire le hash du certificat

  openssl x509 -noout -hash -in /root/.globus/simpleCA/cacert.pem

• Afficher le subject

  openssl x509 -in ee948bf8.0 -noout -subject

Gestion d'un CA

• Création d'un info

#
# @(#)$Id: ee948bf8.info,v 1.1 2009/04/06 18:55:20 pmacvsdg Exp $
# Information for g5k CA
#
alias = g5k
ca_url = http://public.rennes.grid5000.fr/~sbadia/ca.pem
crl_url = http://public.rennes.grid5000.fr/~sbadia/crl.r0
email = [email protected]
status = accredited:classic
url = http://www.nancy.grid5000.fr/doc/
version = 1.37
sha1fp.0 = 60:5F:50:06:71:7C:2F:E4:58:BB:C0:E9:33:05:B4:B9:3B:14:C9:A0

• D'un namespaces

##############################################################################
#NAMESPACES-VERSION: 1.0
#
# @(#)ee948bf8.signing_policy.namespaces
# CA alias    : g5k
#    subord_of:
#    subjectDN: /O=Grid/OU=GlobusTest/OU=simpleCA-paramount-10.rennes.grid5000.fr/CN=Globus Simple CA
#    hash     : ee948bf8
#    (generated automatically from 9ff26ea4.signing_policy)
#
TO Issuer "/O=Grid/OU=GlobusTest/OU=simpleCA-paramount-10.rennes.grid5000.fr/CN=Globus Simple CA" \
   PERMIT Subject "/O=Grid/.*"

• Générer une liste de révocation

  openssl ca -config ~/.globus/simpleCA/grid-ca-ssl.conf -gencrl -crldays 365 -out ./ee948bf8.r0

  • Ne pas oublier d'inclure une url http pour le cron

    echo "http://public.rennes.grid5000.fr/~sbadia/crl.r0" > ee948bf8.crl_url

• Configurer le CA

/opt/globus/setup/globus_simple_ca_9b24b125_setup/setup-gsi -default
export GPT_LOCATION="/opt/gpt"
export GPT_INSTALL_LOCATION="/opt/gpt/
/opt/gpt/sbin/gpt-build globus_simple_ca_HASH_setup-0.17.tar.gz gcc32dbg
$GLOBUS_LOCATION/sbin/gpt-postinstall
/opt/globus/setup/globus_simple_ca_274a23e6_setup/setup-gsi -default

• Lister le ca par défaut

  grid-default-ca -list

OpenSSL utils

• Vérifier un certificat

  openssl verify -CApath /etc/grid-security/certificates /etc/grid-security/hostcert.pem

• Créer un certificats importable dans iceweasel

  openssl pkcs12 -export -in ~/.globus/usercert.pem -inkey ~/.globus/userkey.pem -name "My Certificate" -out mycertificate.p12

• Afficher un certificat utilisateur

  openssl x509 -in usercert.pem -text -noout

Tests insertion

• Ajout admin

  INFO: Adding default admin from /etc/grid-security/hostcert.pem

Admin '/O=Grid/OU=GlobusTest/OU=simpleCA-graphene-46.nancy.grid5000.fr/CN=host/graphene-46.nancy.grid5000.fr,/O=Grid/OU=GlobusTest/OU=simpleCA-graphene-46.nancy.grid5000.fr/CN=Globus Simple CA' already exists in database... This admin will be granted full privileges on the VOMS database. Adding ALL permissions on '/nancy' for admin '/O=Grid/OU=GlobusTest/OU=simpleCA-graphene-46.nancy.grid5000.fr/CN=host/graphene-46.nancy.grid5000.fr,/O=Grid/OU=GlobusTest/OU=simpleCA-graphene-46.nancy.grid5000.fr/CN=Globus Simple CA' Adding ALL permissions on role '/nancy/Role=VO-Admin' for admin '/O=Grid/OU=GlobusTest/OU=simpleCA-graphene-46.nancy.grid5000.fr/CN=host/graphene-46.nancy.grid5000.fr,/O=Grid/OU=GlobusTest/OU=simpleCA-graphene-46.nancy.grid5000.fr/CN=Globus Simple CA'

• Ajout en base

  INSERT INTO usr (address, creation_time, dn, email_address, end_time, institution, name, phone_number, surname, ca) VALUES ('315, jardin botanique','2011-09-18','/O=Grid/OU=GlobusTest/OU=simpleCA-paramount-10.rennes.grid5000.fr/OU=rennes.grid5000.fr/CN=toto1','[email protected]','2021-09-18','INRIA','Sebastien BADIA','0611957912','sbadia','84');

INSERT INTO certificate (creation_time,subject_string,ca_id,usr_id) INTO ('2011-09-18','toto1','84','1')