SDSS Documentation Centre | Documents / IssueSDSSCert browse

Issuing an SDSS Certificate

This page describes how to issue an SDSS certificate, starting from a Certificate Signing Request (CSR) file supplied by the applicant.

1. Log in to the SDSS account on bodach.

2. Go to the following directory:

 cd sdss-ca

3. Copy the applicant's .csr file to this directory. Any binary file copying method will do, e.g.:

 scp you@yourmachine:filename.csr .

4. Inspect the contents of the .csr file:

 openssl req -text -noout < filename.csr

Check that C=GB, O=JISC Core Middleware Programme, OU=xxx Project (where xxx is the applicant's project acronym) and CN is a plausible DNS domain name within the applicant's institution (i.e., CN=foo.gla.ac.uk would not normally be allowed for an applicant from Edinburgh). In case of doubt, go back to contact the applicant.

It is possible in exceptional circumstances to issue certificates that are not in the above form. To do that, override the default openssl configuration file, like this:

 export OPENSSL_CONF=/home/shibb/sdss-ca/openssl.cnf.signany

5. If it is not already in this form, rename the file as xxx.csr, where xxx is the CN, e.g.:

 mv filename.csr shibbox.uni.ac.uk.csr

6. You can skip this step if the applicant's manager's phone number is already listed in the text file phones.txt. Otherwise, call a national directory enquiries service (118xxx) to get the main switchboard number of the applicant's institution. Phone that switchboard and ask them to give you the number of the applicant's project manager (the applicant should have supplied the name in their request). Don't let them put you straight through: the object is to verify the manager's phone number.

6(b) Optional. Once verified, the phone number can be added to our list of verified phone numbers by editing the text file phones.txt.

7. Phone the applicant's manager AT THE VERIFIED PHONE NUMBER (other numbers, like mobiles, won't do) and check that they are aware of the certificate request (and ideally the DNS name it is for and who it came from).

8. Copy the .csr file to newreq.pem:

 cp shibbox.uni.ac.uk.csr newreq.pem

9. Invoke the CA software:

 CA.pl -sign

10. You will be prompted to enter the CA pass phrase, WHICH MUST BE KEPT SECRET. On entering the pass phrase, the request will be shown again. Double-check the details and if they are correct then enter 'y' to both yes/no prompts asking whether the certificate should be issued and the database updated.

11. Move the request file into the subdirectory for those:

 mv shibbox.uni.ac.uk.csr csrs

12. Rename the generated certificate to xxx.crt, where xxx is the CN (DNS name) requested by the applicant:

 mv newcert.pem shibbox.uni.ac.uk.crt

13. Optionally, you may wish to check that the generated certificate looks correct:

 openssl x509 -text -noout < shibbox.uni.ac.uk.crt

14. Make a local copy of the certificate on your own machine, using any convenient binary file copying method, e.g.:

 scp shibbox.uni.ac.uk.crt you@yourmachine:

15. Move the original certificate into the subdirectory for those:

 mv shibbox.uni.ac.uk.crt certs

16. E-mail your copy of the certificate to the applicant, usually as a file attachment, although it is just a text file and the part from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (inclusive) can just be cut and pasted into a text e-mail if required or preferred. Note that applicants with Windows-based email systems often cannot receive files with the extension .crt (as a security measure), so usually it is best to rename the file extension from .crt to .pem before transmission if sending as an attachment.