CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI TF 2011
Outline 1.The UK e-Science CA 2.Problems with our CA Web Interface 3.CertWizard 4.Future Work 16/11/20152EGI TF 2011
The UK e-Science CA 2 nd largest Grid CA IGTF accredited classic CA 28,972 certificates issued 2,882 active currently RA network across UK academia (61 RAs with 112 RA Operators) 16/11/2015EGI TF 20113
The UK e-Science CA To support ancillary services we also have * 2x SLCS online CAs (SSO and SARoNGS) * 3x MyProxy Servers * 2x VOMS server * Training CA (for short-lived training certificates) * Test CA (for RA Training and testing)
UK eScience Root CA Hierarchy
Problems Many certificate problems on our helpdesk (typically browser issues) Browsers change, we can't support them all, especially on different platforms OpenCA s/w we use hasn't been kept up to date... and we had amended it! Website certificate not trusted by browsers 16/11/2015EGI TF 20116
"Hierarchitecture" 16/11/2015EGI TF SigningCA DB CertWizard server CertWizard client PeCR2OpenCABrowserPeCR/PCR
Features 1.Platform and browser independent 2.No CA Certificates to download first 3.Integrated into our existing MyProxyUploader 16/11/2015EGI TF 20118
Functionality Apply for a new certificate Renew an existing certificate Request revocation of a certificate Export/Backup your certificate Import a certificate Integrated into our proxy generation tool: – GSI “local” proxies – MyProxy upload – Adding VOMS attributes 16/11/2015EGI TF 20119
16/11/2015EGI TF
Apply for a Certificate 16/11/2015EGI TF
Renew Certificate 16/11/2015EGI TF
Request Revocation 16/11/2015EGI TF
Export/Backup 16/11/2015EGI TF
Install Certificate Converts certificate to a usercert/userkey.pem pair for use by the proxy generation parts of the tool. 16/11/2015EGI TF
Seamless Interworking Integrated with MyProxyUploader, our previous proxy generation tool Uploading to MyProxy servers Local Proxies Add VOMS attributes 16/11/2015EGI TF
Configuration CA Certificates MyProxy servers VOMS servers Your Certificate 16/11/2015EGI TF
MyProxyUploader 16/11/2015EGI TF
Local Proxy 16/11/2015EGI TF
VOMS attributes 16/11/2015EGI TF
Further Work Adding an RA Tab Adding a tab for Host Certificates, including bulk requests Provision for address changes Permit renewals within 1 month of expiry Upgrading underlying libraries 16/11/2015EGI TF
Other Developments Rollover of CA Certificate Moving to an online CA Improved functionality for bulk requests Considering accreditation for our SLCS CA Restructuring of our CP/CPS 16/11/2015EGI TF
Acknowledgements Jens Jensen, David Meredith and Akay Okcun Numerous other developers NGS STFC 16/11/201523EGI TF 2011