SlovakGrid Certification Authority

->slovenská verzia
For new grid users:

1. create new pair of keys: grid-cert-request -int
- it may request your name and family name, so fill them
- choose at least 12-character long passphrase
- confirm or change the country "C=SK" and the 'origin' "O=SlovakGrid"
- fill in the acronym for your organization (employer or school)
- fill in your full name - at least 2 words divided by space character(s)
- if you do not have installed the "grid-cert-request" command,
  you can use my 'user' script

2. bring the "usercert_request.pem" file to one of your national Registration
Authorities (RA, more informations at: ca.ui@savba.sk)
and show your ID card in the personal meeting with RA.


Rekey Manual - for user certificate:

During the time your user certificate is still valid, you can use it to sign
your request for the new user certificate:

1. backup ~/.globus folder to say ~/.globus.bak

2. create new pair of keys: grid-cert-request -int
- it may request your name and family name, so fill them
- choose at least 12-character long passphrase
- confirm or change the country "C=SK" and the 'origin' "O=SlovakGrid"
- fill in the acronym for your organization (employer or school)
- fill in your full name - at least 2 words divided by space character(s)
- if you do not have installed the "grid-cert-request" command,
  you can use my 'user' script

3. sign with your old but still valid user-certificate:
cd ~/.globus
openssl smime -sign -text -in usercert_request.pem -signer \
~/.globus.bak/usercert.pem -inkey ~/.globus.bak/userkey.pem \
-out rekey.smi

4. send the "rekey.smi" file to your national Certification Authority (CA)
   (ca.ui@savba.sk)

5. backup  ~/.globus folder to say ~/.globus.new and move back
   the old folder for the time untill you will get new certificate,

6. when you receive new certificate from CA, replace the zero-length file
   usercert.pem in "new" folder and exchange old with new folders


Rekey Manual - for host certificate: 

1. create keys in some folder (e.g. $HOME):

grid-cert-request -dir . -host -int
- confirm|change default parameters ("C=SK" and "O=SlovakGrid")
- fill acronym of organization (O=FMPhI)
- fill host name (CN=host/myhost.mydomain)
- if you do not have installed the "grid-cert-request" command,
  you can use my 'host' script

2. sign with your user-certificate:

openssl smime -sign -text -in hostcert_request.pem -out rekey.smi \
-signer ~/.globus/usercert.pem -inkey ~/.globus/userkey.pem

   If you are logged-in as root, change "~/.globus" (2x) to the folder
   where your user certificate and user private key reside (or copy them here).

3. send the "rekey.smi" file to your national Certification Authority
   (ca.ui@savba.sk) by simple e-mail (no need to sign it)

4. when you receive new certificate from CA, put the private key
   (generated in step 1, i.e. hostkey.pem) 
   and the new certificate (as hostcert.pem) into
   root@myhost.mydomain:/etc/grid-security

5. run yaim for all grid services installed on "myhost" which are using
   the grid certificate
or 
   manually replace old key+certificate in all locations found on "myhost" 
   (find / -name "*.pem"), they can have another names (edguser.pem...) and
   restart all these services (or restart whole "myhost")