1 / 23

CertWizard : a New Certificate Tool for the UK NGI User Community

CertWizard : a New Certificate Tool for the UK NGI User Community. John Kewley ( john.kewley@stfc.ac.uk ), Jens Jensen, David Meredith and Akay Okcun. Outline. The UK e-Science CA Problems with our CA Web Interface CertWizard Future Work. The UK e-Science CA. 2 nd largest Grid CA

ailsa
Download Presentation

CertWizard : a New Certificate Tool for the UK NGI User Community

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CertWizard: a New Certificate Toolfor theUK NGI User Community John Kewley (john.kewley@stfc.ac.uk), Jens Jensen, David Meredith and Akay Okcun EGI TF 2011

  2. Outline • The UK e-Science CA • Problems with our CA Web Interface • CertWizard • Future Work EGI TF 2011

  3. The UK e-Science CA • 2nd largest Grid CA • IGTF accredited classic CA • 28,972 certificates issued • 2,882 active currently • RA network across UK academia (61 RAs with 112 RA Operators) EGI TF 2011

  4. The UK e-Science CA To support ancillary services we also have * 2x SLCS online CAs (SSO and SARoNGS) * 3x MyProxy Servers * 2x VOMS server * Training CA (for short-lived training certificates) * Test CA (for RA Training and testing)

  5. UK eScience Root CA Hierarchy

  6. Problems • Many certificate problems on our helpdesk (typically browser issues) • Browsers change, we can't support them all, especially on different platforms • OpenCA s/w we use hasn't been kept up to date ... and we had amended it! • Website certificate not trusted by browsers EGI TF 2011

  7. "Hierarchitecture" EGI TF 2011

  8. Features • Platform and browser independent • No CA Certificates to download first • Integrated into our existing MyProxyUploader EGI TF 2011

  9. Functionality • Apply for a new certificate • Renew an existing certificate • Request revocation of a certificate • Export/Backup your certificate • Import a certificate • Integrated into our proxy generation tool: • GSI “local” proxies • MyProxy upload • Adding VOMS attributes EGI TF 2011

  10. http://www.ngs.ac.uk/tools/certwizard EGI TF 2011

  11. Apply for a Certificate EGI TF 2011

  12. Renew Certificate EGI TF 2011

  13. Request Revocation EGI TF 2011

  14. Export/Backup EGI TF 2011

  15. Install Certificate Converts certificate to a usercert/userkey.pem pair for use by the proxy generation parts of the tool. EGI TF 2011

  16. Seamless Interworking Integrated with MyProxyUploader, our previous proxy generation tool • Uploading to MyProxy servers • Local Proxies • Add VOMS attributes EGI TF 2011

  17. Configuration • CA Certificates • MyProxy servers • VOMS servers • Your Certificate EGI TF 2011

  18. MyProxyUploader EGI TF 2011

  19. Local Proxy EGI TF 2011

  20. VOMS attributes EGI TF 2011

  21. Further Work • Adding an RA Tab • Adding a tab for Host Certificates, including bulk requests • Provision for email address changes • Permit renewals within 1 month of expiry • Upgrading underlying libraries EGI TF 2011

  22. Other Developments • Rollover of CA Certificate • Moving to an online CA • Improved functionality for bulk requests • Considering accreditation for our SLCS CA • Restructuring of our CP/CPS EGI TF 2011

  23. Acknowledgements • Jens Jensen, David Meredith and Akay Okcun • Numerous other developers • NGS • STFC EGI TF 2011

More Related