Signing the certificate with SimpleCA

We need to send this request to our CA so it can digitally sign it. Although the grid-cert-request asks you to mail it to the CA's email address, we won't need to do this procedure through email since the CA and the requesting user are in the same machine. We'll be able to 'send' the request the CA through a temp directory in our hard disk. However, bear in mind that, in real applications, it is commonplace to send the requests to a CA administrator through email.

Using your user account, do the following:

cp $HOME/.globus/usercert_request.pem /tmp

Now, using the globus account, do the following:

$GLOBUS_LOCATION/bin/grid-ca-sign -in /tmp/usercert_request.pem -out /tmp/usercert.pem

The grid-ca-sign command is used to sign certificate requests and generate valid certificates. Since this operation needs the CA's private key (to sign the certificate), we'll need to enter the CA's password:

Enter password for the CA key:

You should now see the following output:

The new signed certificate is at: $GLOBUS_USER_HOME/.globus/simpleCA//newcerts/01.pem

A digital certificate has been generated from the request and has been deposited in /tmp/usercert.pem. However, CA always keeps a copy of its certificates. Now, all we have to do is retrieve the certificate from the /tmp directory (using our user account):

cp /tmp/usercert.pem $HOME_DIR/.globus/usercert.pem

Voilà! You are now a fully certified user!

Bear in mind that it is very important to respect the directory name ($HOME_DIR/.globus) and the file name (usercert.pem) when installing the new certificate. Otherwise, any application and utility which needs to use the certificate will fail to find it and, therefore, not work.

Finally, remember that the procedure we've followed to request and sign the certificate has been a bit atypical since both the CA and the requestor are in the same machine. A more 'real' procedure would be the following:

  1. User A creates a certificate request.

  2. User A sends the certificate request to a CA via email (e.g. [email protected])

  3. The CA's administrator receives the request, reviews it, and decides if it will be approved. If the request is approved, the CA administrator signs the request using the CA's private key, and sends the certificate to User A via email (e.g. [email protected])

  4. User A receives the certificate and installs it in the $HOME/.globus directory.