Home -> Toolkit -> Docs -> 3.2 -> Gsi -> Developer	Website Email Lists Search:

This information is for a release that is no longer supported by the Globus Toolkit. The currently supported versions of the Globus Toolkit are 4.2 (recommended) and 4.0.

GSI: Developer's Guide

Overview
APIs
Infrastructure
>Acquiring certificates
Using proxy certificates
Related documents

Acquiring certificates

In order for authentication to work within Globus and GSI-enabled tools, all users and services need to have a certificate issued from a trusted certificate authority (CA).

Because the CA is the heart of the Globus/GSI authentication system, it is highly recommended that the builders of production Grids either establish their own trusted CA or use an established commercial CA.

You must have X509 certificates to use the GT 3.2 software securely (referred to in this documentation as host certificates).

Host certificates must be:

consist of the following two files: hostcert.pem and hostkey.pem
must be in the appropriate directory for secure services: /etc/grid-security/
must be for a machine which has a consistent name in DNS; you should not run it on a computer using DHCP where a different name could be assigned to your computer.

You have the following options: request a certificate from an existing CA, use SimpleCA, or use a low-trust certificate.

Request a certificate from an existing CA

Your best option is to use an already existing CA. You may have access to one from the company you work for, or an organization you are affiliated with. Some universities provide certificates for their members and affiliates. Contact your support organization for details about how to acquire a certificate. You may find your CA listed in the TERENA Repository.

If you already have a CA, you will need to follow their configuration directions. If they include a CA setup package, follow the CAs instruction on how to install the setup package. If they do not, you will need to create an /etc/grid-security/certificates directory and include the CA cert and signing policy in that directory. See Configuring a Trusted CA for more details.

This type of certificate is best for service deployment and Grid inter-operation.

SimpleCA

SimpleCA provides a wrapper around the OpenSSL CA functionality and is sufficient for simple Grid services. Alternatively, you can use OpenSSL's CA.sh command on its own. Instructions on how to use the SimpleCA can be found here.

SimpleCA is suitable for testing or when a certificate authority is not available.

Low-trust certificate

Globus offers a low-trust certificate available at http://gcs.globus.org:8080/gcs. This option should only be used as a last resort because it does not fulfill some of the duties of a real Certificate Authority.

This type of certificate is best suited for short term testing.