Polish Grid - Certification Authority

The Polish Grid Certification Authority provides x509 certificates to be used in the context of the Polish Grid testbed activities. The certification authority issues certificates for individuals and machines. The ownership of a certificate does not imply automatic access to any computing resources. Access rights to individual machines must be granted by the corresponding system administrator before access is allowed.

Certification policy and practice

The Polish Grid CA certification policy is available here.

How to obtain a certificate

To obtain a certificate the requester must be a invlolved in Polish Grid activities. Certificates can be obtained by sending a properly formatted certificate request by e-mail to the Polish Grid CA. Once received the authenticity of the request will be verified by the CA.

RA list

Current list of RA's for Polish Grid CA can be found here

Obtaining a personnel certificate under Globus can be done with the command grid-cert-request the request must then be sent by e-mail to plgrid-ca@man.poznan.pl.
For gatekeeper machines a system certificate request is generated when globus is installed, the request filename is usually installed in /opt/globus/etc/globus-gatekeeper.request. The request must then be sent by e-mail to plgrid-ca@man.poznan.pl preferably signed with the personal certificate of the system manager, otherwise further checking will have to be performed by the CA to verify the authenticity of the request.

Validity and liability

Certificates issue by the Polish Grid CA are valid only in the context of the Polish Grid activities, any other use including financial transactions is strictly forbidden.
The Polish Grid CA will not be held liable for any problems arising from its operation or use made of the certificates it issues. The Polish Grid CA is run in a best effort basis and does not give any guarantees about the service security.
The CA operation is however performed with a reasonable level of security and the identity of the subjects requesting certificates will be verified accordingly with the CA policy.

Obtaining the CA certificate

The Polish Grid CA certificate is required to verify the authenticity of issued certificates. The Polish Grid CA certificate can be downloaded in PEM format here 8a661490.0 or in DER format fot Netscape 6.x and Internet Explorer browser here

Installing the CA certificate in systems running Globus

The following procedure must be followed to install the Polish Grid CA certificate. The certificate must be installed in each system running Globus in order to recognize Polish Grid CA issued certificates.

Download the key file as explained above, do not change the filename.
Copy the CA certificate to the following directories:

Globus 1.1.x:

$GLOBUS_INSTALL/share/certificates

$GLOBUS_DEPLOY/share/certificates

Globus 2:

/etc/grid-security/certificates

Change the protection of the file to 644.
Update the CA signing policy file ca-signing-policy.conf by appending the following lines:

access_id_CA X509 '/C=PL/O=GRID/CN=Polish Grid CA'

pos_rights globus CA:sign

cond_subjects globus '"/C=PL/O=GRID/*"'

insert your organisation acronim instead of xxx

You can download RPM with Polish Grid CA from EUGridPMA repository

Certificate Revocation Lists (CRLs)

Sometimes issued certificates must be canceled, in this case a CRL will be made available through this web page. For a CRL to be effective it must be downloaded and installed in each system accepting Polish Grid CA certificates.

The most recent CRL for the Polish Grid CA can be downloaded here crl.pem.

The CRL can be downloaded in your browser here here