UK federation information centre | Documents / GetUKeSciCert browse

Requesting a UK e-Science Certificate

This option is no longer available

The procedure for requesting a certificate from the UK e-Science CA is described at http://www.grid-support.ac.uk/content/view/23/182/. Two kinds of certificate are offered:

User (personal) certificates
Server (host) certificates

You must first obtain a user certificate as described at the above link. A user certificate is not supported directly for use with the UK Federation but is needed in order to apply for a host certificate.

Once your user certificate is installed in your browser along with the e-Science CA certificate and its root certificate, go on to apply for a host certificate, again as described at the above link. The Request a Certificate menu bar item on the CA web interface offers the options:

User Certificate
Server Certificate
PKCS #10 Request

The procedure tested by the federation and documented here is to choose Server Certificate, which will cause the browser to generate a new private key automatically. Although we have not tested this, it should also be possible to make your own private key with openssl, as described at Making the Private Key in GetCertificate, and submit the resulting Certificate Signing Request (.csr) file as a PKCS #10 Request (which is what a .csr file is).

Choosing Server Certificate should bring up a form allowing you to enter the DNS name of your Shibboleth server (e.g., shibbox.uni.ac.uk) along with some other information required by the CA, such as your e-mail address. You must leave the default service type (plain host certificate) selected in the drop-down list, since Shibboleth is not a Globus service.

When the CA grants the server certificate request, you should receive e-mail containing instructions on how to download the new host certificate. Assuming you used the Server Certificate request option rather than PKCS #10 Request, the certificate must be downloaded into the same browser that generated the private key.

Exporting for Use with Shibboleth

For use with Shibboleth, the certificate and private key must be exported from the browser into files on the server machine. The procedure is the same as in the web document Preparing your Certificate for use by Globus Toolkit. If you follow the procedure described there then at the end of Step 2 you should have two files, hostcert.pem and hostkey.pem. Copy these to the machine that will be running Shibboleth and change the permissions to prevent anyone else from accessing either copy of hostkey.pem, as shown in Step 4. It is conventional to rename the files based on the DNS name being certified (for example to shibbox.uni.ac.uk.crt and shibbox.uni.ac.uk.key) and that is the convention used in the rest of the documentation here.

See also Step 5 on Security and backing up your certificate, which applies equally to Shibboleth.

Editing the Key

Unfortunately, if the certificate and key were exported from Internet Explorer (and possibly other browsers) then the private key file produced by the procedure above will be rejected by at least some components of Shibboleth because it will contain some text before the line:

 
   -----BEGIN RSA PRIVATE KEY-----

Inspect the shibbox.uni.ac.uk.key file, and with a text editor delete anything that appears before the above marker line (e.g., "Bag Attributes", "Key Attributes", etc.) Do not remove the marker line or anything after it, in particular some similar-looking properties lines (Proc-type: xyz etc.) that may immediately follow.

CA Certificates

As well as exporting your private key and host certificate as described above, you will also need to download from the CA web interface (or export from your browser), two more certificates: the UK e-Science CA certificate and its root certificate. Using the UK e-Science CA web interface, choose Get CA Certificate from the CA Info tab. The certificates are available in different formats. The easiest format for working with Shibboleth is the PEM (base64-encoded) format, shown as [Suitable for use with grid applications]. Right-click and use Save Target As... (in Internet Explorer, other browsers may differ), to create escience-ca.pem and escience-root.pem. You will need these when configuring your Shibboleth server later.

Once you have done everything described above, the next step is to apply to join the UK Federation as described at JoinFederation.