• Grid Certificate Authority (CA) Service

  • The GridKa-CA service delivers X.509 certificates for persons, hosts, services and robots, belonging to institutes located in Germany, involved in national and international Grid projects, for authentication purposes to access national and international Grid resources.

General Description

The GridKa-CA service provides a Public Key Infrastructure (PKI) with X.509 user, host, service and robot certificates for resources and services located in Germany and scientists working in Germany for national and international Grid projects.
Certificates are required for authentication in the Grid environment and are based on the Grid Security Infrastructure (GSI) used in several Grid middleware stacks like gLite, Globus and UNICORE. Identity vetting of individuals is following international agreed standards and carried out by Registration Authorities (RA's) prior to the issuance of a certificate. A Certification Policy (CP) and Certification Practice Statement (CPS) describing all procedures is provided and held up to date, together with and a certificate revocation list (CRL) and general information for users. The CRL contains a list of revoked certificates and is downloaded at regular intervals from all Grid sites in the world.
The service provides dedicated Web interfaces for requesting and managing certificates as well as an offline OpenSSL-CA with secured infrastructure. The GridKa-CA is accredited according to the rules of the European Grid Policy Management Authority (EUGridPMA), part of the International Grid Trust Federation (IGTF). As member of the EUGridPMA, new developments and standards are permanently observed and integrated into the current policy and practices.

Utilization Period

The Web server providing general information and the CRL and respective Web front-ends are available 24 hours a day on 7 days a week. Registration and certificate issuance is carried out during normal working hours (5x8).

Booking Conditions

Registration of an institution (university, company, research center)

Prior to the issuance of individual certificates an institution has to register itself and to choose an abbreviation for their "Organizational Unit" (OU). A person has to be pointed out which is acting as a Registration Authority (RA). Personal contact between RA and CA personnel is required in general.
An RA must fulfill the identification process as described below. Additionally the following data is required: Official name and address of the institution, department and optionally the Grid project the institution is associated with.

Registration of a user

a) Identification process:

The following data is needed: name, surname, Email-address*, telephone*. The user has to contact the RA personally, show an identity card (or passport) together with the filled GridKa-CA Formular ( https://gridka-ca.kit.edu/gridka-ca-formular.pdf ). The RA is verifying the accordance between the data and photograph in the identity card with the physical appearance and verifies that the user belongs to the institute by appropriate means. The GridKa-CA Formular is archived by the RA or sent manually signed by post to the GridKa-CA.

  • Both have to show the connection to the institute and shall not be private.

b) Request generation

The user generates a certificate request either using the GridKa-CA Web interface at https://gridka-ca.kit.edu

 

Registration of a host or service

A user with a valid user certificate can obtain a host, service or robot certificate using the mechanisms described above. The hostname has to have a valid DNS entry and the IP address must belong to the range owned by the institution.

  • The GridKa-CA Web interface at https://gridka-ca.kit.edu or
  • middleware commands (‘grid-cert-request’) or
  • an OpenSSL mechanism (openssl request)

For grid-cert-request and openssl commands you can upload the pem Request at https://gridka-ca.kit.edu.

IT-Security

The Certification Policy/Certification Practice Statement (CP/CPS) ( https://gridka-ca.kit.edu/info/ca/gridka-cps.pdf ) describes which user data is stored.

Included services

  • This service delivers user or host or service or robot certificates to users and resources associated to German scientific institutes regularly within one working day.
  • GridKa-CA is accredited by the EUGridPMA and the certificates are accepted in the international Grid context.
  • A trust anchor is provided by EUGridPMA (CA-rpm’s at https://dist.eugridpma.info/distribution/igtf/current/ ) and at Terena (http://www.tacar.org/ )
  • Revocation requests are processed as soon as possible, at least the next business day.
  • Certificate Revocation List (CRL) is issued after each revocation or at least every 23 days and can be downloaded by all Grid sites all over the world.
  • The service is providing information about the GridKa-CA on its Web servers.
  • Users and RA’s are informed by email about the progress during the request procedure, the issuance of certificates and 4/1 weeks in advance before expiration of a certificate.
  • Providing statistics about issued/revoked certificates.
  • Secured and reliable infrastructure.

Not included services

  • This service does not deliver certificates for users or resources not associated with German scientific institutes.
  • Acceptance and membership in a Virtual Organization (VO)
  • Liability for any damages, including but not limited to lost profit, lost savings and incidental or consequential damages.
  • Legal responsibility for problems arising out of its operation or for problems related to the use or misuse of the certificates it issues.
  • It is explicitly prohibited to use the certificates issued by the GridKa-CA for any kind of financial transactions or for any kind of trade.

Organisational requirements

Technical requirements

  • Network (Internet, LAN/WAN)
  • Open Ports in Firewall