Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n RA Registration Christos Kanellopoulos GRNET SAGrid All-Hands Meeting, 26 March 2013

Overview “SEE-GRID CA is a Certification Authority managed and operated by the GRNET S.A., coordinator of the Greek National Grid Initiative, in cooperation with the Scientific Computing Center at the Aristotle University of Thessaloniki.” 2

History July 2004 and April 2010, SEE-GRID CA had been operating in the context of the SEE-GRID Regional Grid Infrastructure project series (SEE-GRID-I , SEE-GRID-II , SEE-GRID-SCI ) with the mandate to provide catch all PKI services to the wider region of South Eastern Europe in order to facilitate the needs of distributed computing and pave the way for the countries in the region to establish their own national Public Key Infrastructure and guide them through the IGTF accreditation process Since May 2010, SEE-GRID CA provides Catch-All PKI services for the European Grid Initiative (EGI.eu) in the context of EGI-InSPiRe Project. 3

Registration Authorities  The procedures of identification and authentication of the certificate applicants are performed by trusted individuals (Registration Authorities), appointed by the SEE-GRID CA. 4 CountryRegistration Authority / Organization GreeceGRNET AlbaniaPolytechnic University of Tiranata Bosnia and HerzegovinaUniversity of Banja Luka Bosnia and HerzegovinaUniversity of Sarajevo GeorgiaGRENA AzerbaijanNational Academy of Sciences SenegalUniversity Chaukh Anta DIOP SwitzerlandSixSq

How to Create a Registration Authority  In order to setup a SEE-GRID CA Registration Authority:  an official request from a legal representative of the Institute or Organization  The formal name of the institute  The person (name, contact information) of the person who will act as the RA Manager for the Institute/Organization  The person(s) (name, contact information) who will act as the RA operator(s) for the institute  A template for the request letter can be found here:  5

How to Create a Registration Authority  The request must be sent to the SEE-GRID CA headquarters by mail  as this usually delays the procedure, we ask the applicants to send us also a scanned version via in order to speed up the process.  When we receive the , we can organize a video call with the applicant in order to finalize the process  The RA Manager should be staff of the Institute/Organization  {S}he will be the main contact point between SEE-GRID CA and the Institute/Organization.  The RA manager can appoint one or more RA Operator(s) who will perform the day to day tasks 6

How to Create a Registration Authority  The RA operator is technical role. Has the duty to:  schedule face to face meetings with applicants in order to validate their requests,  keep the necessary records and forward the validated requests to the SEE-GRID CA.  It it not uncommon that the RA Manager also performs the duties of the RA Operator where the number of certificate requests does not justify the allocation of more resources 7

Identity Vetting  Physical Person:  The subject must contact the RA in person, in order to have his/her identity vetted and to verify the validity of the request.  The authentication of the subject is performed through the presentation of a valid photo ID document or passport.  In cases where the subject resides in a remote geographical location and access to an RA is not possible, identity vetting may be performed via video call.  In this case, an authenticated photocopy of the required document (ID document or passport must be delivered by mail or courier service to the RA prior to this online meeting.  Authenticated photocopy refers to the verification made by a legally accepted notary public under the law of the country where the RA operates 8

Identity Vetting  Digital Processing Entity or Service  The entity must already have a valid DNS entry and be in the administration domain of the applicant.  The system administrator requesting the certificate must use his/her personal certificate, issued by an IGTF accredited CA,  to authenticate to the SEE-GRID CA web portal or digitally sign the in order to submit the certificate request 9

Identity Vetting  Robot:  At least one of the responsible persons for the operations of the Robot must use his/her personal certificate to digitally sign the e- mail in order to submit the certificate request. 10

How to generate a Certificate Request  In order to generate a Certificate Request you need access to a machine with OpenSSL installed  Substitute {Country Code} with the two letter ISO Alpha-2 code of the country in capital letters.  Substitute {People|Hosts} with People if this request is for a personal certificate or Hosts if the request os made for a host, service or robot certificate.  Substitute {Institution Name} with the full name of your institution (for example Greek Research and Technology Network)  Substitute {Firstname Lastname} with your First and Last name. You may add your initials in between the First and Last name if you desire. 11 $ openssl req -newkey rsa:2048 –subj > "/DC=EU/DC=EGI/C={Country Code}/O={People|Hosts}/O={Institution Name}/ > CN={Firstname Lastname}" > -out cert_request.pem

Further Information  How to set up a new SEE-GRID CA Registration Authority  registration-authority registration-authority  How to change over a SEE-GRID CA Registration Authority  registration-authority registration-authority  How to create a certificate request 