Security Group INFN Certification Authority english version italian version

> Home

> Documentation

> Policy and CPS

> INFN CA Certificate

> Personal certificate request

> Personal certificate renewal

> Certificates Repository

> Certificate Revocation List

 
> Registration Authority (RA)

 
> Statistics

Documentation


An explanation of the main concepts is available in pdf format.


Address Space

All the certificates issued by INFN CA use the following address spaces:
  • /C=IT/O=INFN/OU=Personal Certificate/L=<RA name>/CN=<name and surname> (personal certificates);
  • /C=IT/O=INFN/OU=Host/L=<RA name>/CN=<server FQDN> (server certificates);
  • /C=IT/O=INFN/OU=Service/L=<RA name>/CN=<service name / server FQDN> (service certificate).

Personal certificates

In order to request a new personal certificate, please select the Personal certificate request link on the left menu, using one of the two suggested browser: Netscape Communicator (at least version 4) or Internet Explorer (at least version 5), after the authorization of the competent Registration Authority (RA) of your department.

If you want to renew your still valid certificate, you should select the Personal certificate renewal link on the left menu. Your certificate will be renewed after the approval of the Registration Authority.

Server certificates

The server name has to be correctly registered (direct and reverse) in the DNS, so please pay attention to DNS propagation delay!

All new certificate requests and all renewal requests must be sent, in PEM format and signed by a valid personal certificate, to the competent Registration Authority. The certificate will be issued only after a validity check of the e-mail address specified in the request.

To generate a request, please use the openssl req command (see the example below) with this configuration file (modified on 30/01/06): irregular requests will be rejected.
N.B.: The "Structure Name" field must contain the L value specified in the personal certificate (as indicated in the Registration Authority's table)

Creation of a request: an example
> openssl req -new -nodes -out req.pem -keyout key.pem -config host.conf
Using configuration from host.conf
Using configuration from ./host.conf
Generating a 1024 bit RSA private key
...............................++++++
.++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country []:IT
Organization []:INFN
Certificate type [ ]:Host
Structure name (for instance: Pisa) []:Firenze
Server FQDN [ ]:postino.fi.infn.it
Server manager email address [ ]:roberto.cecchini@fi.infn.it

> chmod 600 key.pem

The certificate will be usually issued within 2 working days (please note, however, that the service is offered on a best effort basis).

Server certificates with multiple names

All server names have to be correctly registered (direct and reverse) in the DNS, so please pay attention to DNS propagation delay!

All new certificate requests and all renewal requests must be sent, in PEM format and signed by a valid personal certificate, to the competent Registration Authority. The certificate will be issued only after a validity check of the e-mail address specified in the request.

To generate a request, please use the openssl req command (see the example below) with this configuration file: irregular requests will be rejected.

All alternative server names, except the primary one, have to be written, before generating the request, in the [server_cert] section of the given configuration file.

For example:

[server_cert] subjectAltName = DNS: altname1.your.dom, DNS: altname2.your.dom, DNS: altname3.your.dom

Please pay attention to respect the correct syntax!

In order to generate the certificate request it is required the use of the option -reqexts and the use of the self-modified configuration file.

Practical example

A new multiple names server certificate is required for mercurio.fi.infn.it (primary name) where hermes.fi.infn.it is the alternative name.

  1. Modification of host_multi.conf:
    [ server_cert ]
    subjectAltName = DNS:	hermes.fi.infn.it
  2. Command execution:
    > openssl req -new -nodes -out req.pem -keyout key.pem -config host_multi.conf -reqexts server_cert

Creation of a request: an example
> openssl req -new -nodes -out req.pem -keyout key.pem -config host_multi.conf -reqexts server_cert
	        
Using configuration from host_multi.conf
Using configuration from ./host_multi.conf	
Generating a 1024 bit RSA private key
...............................++++++
.++++++
writing new private key to 'key.pem'
-----	
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country []: IT
Organization []: INFN
Certificate type [ ]: Host
Structure name (for instance: Pisa) []: Firenze
Server FQDN (primary name only) [ ]: mercurio.fi.infn.it
Server manager email address [ ]: roberto.cecchini@fi.infn.it
		
> chmod 600 key.pem      
	

The certificate will be usually issued within 2 working days (please note, however, that the service is offered on a best effort basis).

Service certificates

WARNING! this kind of certificate is not suitable for host certification (for instance web server): in that case server certificates should be used.

The server name has to be correctly registered (direct and reverse) in the DNS, so please pay attention to DNS propagation delay!

All new certificate requests and all renewal requests must be sent, in PEM format and signed by a valid personal certificate, to the competent Registration Authority. The certificate will be issued only after a validity check of the e-mail address specified in the request.

To create a request please use this OpenSSL configuration file (modified on 30/01/06): irregular requests will be rejected.
N.B.: The "Structure Name" field must contain the L value specified in the personal certificate (as indicated in the Registration Authority's table)

Creation of a request: an example
> openssl req -new -nodes -out req.pem -keyout key.pem -config service.conf
 Using configuration from service.conf
Using configuration from ./service.conf
Generating a 1024 bit RSA private key
...............................++++++
.++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country []:IT
Organization []:INFN
Certificate type [ ]:Service
Structure name (ad es. Pisa) []:Firenze
Service name/Server FQDN (for instance: ftp/a.b.c.d) [ ]:ftp/postino.fi.infn.it
Server manager email address [ ]:roberto.cecchini@fi.infn.it

> chmod 600 key.pem

The certificate will be usually issued within 2 working days (please note that the service is offered on a best effort basis).

Certificate revocation

In order to revoke your personal certificate, please send us an e-mail, signed by your personal certificate, detailing the reasons why you need a revocation.

The e-mail subject must contain your name and the certificate number that should be revoked.

If you are not able to sign the revoking message, the revocation must be requested by the competent Registration Authority.

The revocation of a server or service certificate must always be requested by the competent Registration Authority.

For more information please see the INFN CA Certificate Policy and Certification Practice Statement document.