How to request a certificate in a eduGAIN sub-CA

From GEANT2-JRA1 Wiki

If you want to request a valid certificate in the eduGAIN trust model, you need to identify in which eduGAIN sub-CA your federation (or your organization) is included. At this time, there are available the following eduGAIN sub-CAs:

• eduGAINSCA: this issues certificates for the Bridge Elements (BE) of those federations that are not able or willing to run their own federation eduGAIN subordinate CA. In this CA, you can find the followings RAs:
  • FedIRIS: this RA is for test purpose. At this time, you can request certificates for perfSONAR elements for your development process.

The web application that you can find for all CAs is pkIris. JRA5 guys has writting the following guide for request a certificate:

1. Select your corresponding federation. By the moment there are only a federation for test, this one is FedIRIS.

   

   

2. Push over Certificate Request at the User left menu.

   

   

3. Fill up the fileds of the form, bear in mind that
   • Name: It's your first name.
   • First Surname: Your surname or your first surname, it's up to you.
   • Second Surname: Let it blank or your second surname, it's up to you.
   • User password: A password for your user at the system, not for the web interface.
   • Tel: A telephone number.
   • e-mail: Your e-mail address.
   • Identifier: The CN for the certificate, it must be a FQDN.
   • Organization: Your organization e. g. FedIRIS, RESTENA.
   • CSR CIN: It's an unique Certificate Identification Number to protect the certificate.
   • Component Identifier: The appropiate eduGAIN component identifier(s).
     • For Automated Clients, you have to write the following URN:
       • urn:geant:edugain:component:ee:UUID
         • As you see, you have to write an UUID in the URN. There are a lot of applications, some of them online, for generating one. For example: http://www.famkruithof.net/uuid/uuidgen

   

   

4. Confirm the data that will be used to generate the CSR, and select the key length.

   

   

5. Wait for generation of the private key. The private key is store on the web browser, so is very important that you download the certificate (when it will be issued) with the same browser you have done the certificate request.

   

   

6. A confirm message is shown; you must remember the identifier and the Request code both are type at in bold.
7. When you receive an email
   • Subject: Certificate issued
   • Content: The certificate with identifier test28.rediris.es and copa number a3b12c1 have been issued. It can be downloaded from [1]
8. At the download certificate web form you have to type the certificate identifier, i. e. *test28.rediris.es* in the above example. #; .

   

   

9. The next step is download the certificate by pushing in the buttom at the bottom of the web page.