KEK GRID CA 2024 Enrollment Manual

Version 1.0
2025-08-27

1. CA Service Application

1.1. Submitting Application Form

Users can request a KEK Grid CA service account via the Online Application Portal, ccPortal. All users must submit an application form and a copy of the user's (high resolution) photo ID to the Administration Office of the KEK Computing Research Center by the system. It is desirable that the user's photo ID is issued by the user's home institute. If it is not possible, a copy of your ID from the home institute in addition to one copy of a public photo ID can be submitted instead. Your personal information (including a copy of photo ID) is used exclusively for the purpose of managing your account and issued certificates, and in particular, vetting your identity by a face-to-face or video conferencing interview.

1.2. Identification and Interview

After receiving an application form, KEK GRID RA examines it according to CP/CPS document, and interviews the applicant. The interview is scheduled based on an agreement between the RA and the applicant. The interview can be either face-to-face or through video conference.

1.3. Authorization

If the application is approved by the interview, the KEK GRID RA will inform the KEK GRID CA 2024 that the request has been approved. The KEK GRID CA 2024 then creates a username and a password, which will be used to obtain a certificate from the CA system. The initial password is set to 10 digits random characters. The username and the initial password will be able to retrieve from ccPortal.

You should change the initial password as soon as you receive it and keep in mind your changed password.

2. Managing User Account

2.1. Change User's Password

To change your password, visit Password Management Service with your favorite web browser. The KEK GRID CA 2024 requires a user to keep her/his password more than 10 digits long.

2.2. Change User's Common Name

If you want to change your Common Name (CN), please contact consult@kek.jp.

3. Setting up Command Line Interface (CLI)

User can use the CLI for KEK GRID CA 2024 on your computer system. The CLI communicates with the KEK GRID CA 2024 through the public Internet. If your client node is placed behind a firewall, please ensure that the firewall is configured so that transmissions are allowed to/from KEK GRID CA 2024 services:TCP ports 80, 443, 2560 on 130.87.6.224 / 2001:2f8:3e:6::224 and TCP ports 443, 11417 on 130.87.6.225 / 2001:2f8:3e:6::225

3.1. KEK GRID CA 2024 CLI Installation

Using KEKCC: As the CLI is already installed on the KEKCC work server in /opt/kek/caclt, the following procedure is not required.

In case you use the CLI in an environment other than KEKCC: User have to install a CLI package which is a modified version of the NAREGI-CA software.

The NAREGI-CA software supports various UNIX platforms, however, the CLI has been tested on following Linux platforms only:

  • Red Hat Enterprise Linux 8.9 (x86_64)
  • Red Hat Enterprise Linux 9.6 (x86_64)

After downloading the CLI package, you can install it in the following way (You can change the installation directory ("/opt/kek/caclt" in the example below) to whereever you like. The default is "/usr/local". CAUTION: The following steps will overwrite the previsous version if you specify the same directory):

  1. Unpack a download file
    ex) $ tar zxf kekgca2024-clt.20250826.tar.gz
  2. Change working directory to the source directory
    ex) $ cd kekgca-clt
  3. Configure and make
    ex) $ ./configure --prefix=/opt/kek/caclt; make client
  4. Install CLI files
    ex) $ make install-client

4. Obtaining a Certificate

4.1. Obtain a User Certificate with KEK GRID CA 2024 CLI

  1. Execute "certreq" with the options below

    $ /opt/kek/caclt/bin/certreq issue -uid your_username -ucert

  2. Input your password following the prompt, to get access KEK GRID CA 2024:
    ------------------------------------------- 
  creating a certificate signing request 
-------------------------------------------
generate private key (size 4096 bit)
...................................oo
.............oo

please input your challenge pin to get a certificate
Input Challenge PIN or Password :
  3. Input Pass Phrase twice following the displayed prompt, to protect your generated private key:
    your_username is now trying to login...
99 bytes retrieved as CN.
trying to connect RA server : rra01.kek.jp (11417) ... ok.
request for issuing a new certificate ... ok.
save a CA certificate file : e7a6d5cc.0
save a certificate file : usercert.pem
save a private key file : userkey.pem
Input PASS Phrase:     
Verifying - Input PASS Phrase:

The following files should be created under current working directory:

  • usercert.pem
  • userkey.pem
  • e7a6d5cc.0 (CA certificate)
Please note that certreq overwrites usercert.pem and userkey.pem if these files exist in current working directory (with write permission enabled).

You have to set appropriate permissions on userkey.pem (400) and usercert.pem (644). Under usual Grid environment, these files are supposed to be placed in $HOME/.globus directory.

4.2. Obtaining a Host/Service Certificate

In order to issue host/service certificates, a special permission has to be given to your account.
Please contact consult@kek.jp for the permission.

4.2.1. Generation of One-time License Code

A one-time license is required to request issuing a Globus host/service certificate. You can get it with a web browser which supports a HTML form submission:

  1. Visit License Generation Service with your favorite web browser.
  2. Input your "username" and "password".
  3. Select number of licenses (i.e. hosts/services) as you need. You can get up to 32 license codes at a time.
  4. Click "Generate license code" button.
  5. License Generation Service shows several license codes like below: 
    1234567890-7GG4QI-FGVXVK
1234567890-7GF8QH-69SNL1
1234567890-7GEZQG-49YWR8
1234567890-7G7PQF-NG3CON
1234567890-7G6DQE-YRTWYQ
  6. You should keep the license codes (by saving a local text file).
4.2.2. Obtain Certificates with KEK GRID CA 2024 CLI

Execute "certreq" with the options below

    $ /opt/kek/caclt/bin/certreq issue -lic a_onetime_license_code -hcert -fqdn hostname
    or
    $ /opt/kek/caclt/bin/certreq issue -lic a_onetime_license_code -lcert -fqdn hostname

"-fqdn hostname" is a mandatory option when you obtain host/ldap certificates.

If you want to have a 2nd organizational unit (OU) field in the subject of a host/ldap certificate, you should execute "certreq" with the following options;

    $ /opt/kek/caclt/bin/certreq issue -lic a_onetime_license_code -hcert -fqdn hostname -mou 2nd_ou_name

The following files will be created under current working directory:

  • hostcert.pem
  • hostkey.pem
  • e7a6d5cc.0 (CA certificate)
or
  • ldapcert.pem
  • ldapkey.pem
  • e7a6d5cc.0 (CA certificate)

Please note that certreq overwrites certificates and key files (hostcert.pem and hostkey.pem or ldapkey.pem and ldapcert.pem) in current working directory.

You have to set appropriate ownership (usually root) and permissions on hostkey.pem (400) and hostcert.pem (644). Under usual Grid environment, these files are supposed to be placed in /etc/grid-security/ directory.

5. Updating Certificates

Certificates can be updated by either (5.1) rekeying or (5.2) revoking old one and then issuing new one.
5.1. Rekey certificates
For user certificate:

You can rekey your certificate, i.e. issue a new one with the same subject as the current one if the certificate will expire in less than 90 days.
Note that the old certificate is valid until the expiration date and you will receive email notifications until the old certificate expires or is revoked.
(The old certificate can be revoked from the Web enroll page as described in Section 6.2.)

  1. Check serial number (in decimal) and valid period of the expiring certificate.
    $ openssl x509 -in usercert.pem -serial -dates -noout
    serial=3039
    notBefore=Mar 01 00:00:00 2019 GMT
    notAfter=Apr 01 00:00:00 2020 GMT
    $ printf "%d\n" 0x3039
    12345
    or
    $ echo "ibase=16; 3039" |bc
    12345

  2. Make a new directory and copy the current files into the directory with different name.
    $ mkdir dirname
    $ cd dirname
    $ cp -p /somewhere/userkey.pem _userkey.pem
    $ cp -p /somewhere/usercert.pem _usercert.pem

  3. Rekey your certificate. Please don't forget to replace your_username with your username in the following example.
    $ /opt/kek/caclt/bin/certreq rekey -ucert -uid your_username -clkey _userkey.pem -clcer _usercert.pem 
    ------
Certificate DATA:
    serial number : 12345
    subject:
    C=JP, O=KEK, OU=CRC,  CN=XXXX XXXX
    Validity
      Not Before: Mar 01 00:00:00 2019
      Not After : Apr 01 00:00:00 2020
  4. Choose "y" 
    do you re-key this certificate ? (y/n)[y]:
  5. Input your password to get access KEK GRID CA 2024 
    please input your challenge pin or password to get a certificate
Input Challenge PIN or Password :
  6. Input a new passphrase to be set for the new certificate (private key) twice, and then input a passphrase set for the your current certificate (private key):
    generate private key (size 4096 bits)
................................o
........................................................o
-------------------------------------------
  creating a certificate signing request
-------------------------------------------
Input PASS Phrase:
Verifying - Input PASS Phrase:
save a private key file : userkey.pem
trying to connect RA server : rra01.kek.jp (11417)
Input PASS Phrase:
request for issuing a re-keyed certificate ... ok.
save a CA certificate file : e7a6d5cc.0
save a certificate file : usercert.pem
remove the CSR (unnecessary) : usercert.p10
For host certificate:

You can rekey your certificate, i.e. issue a new one with the same subject as the current one if the certificate will expire in less than 90 days.
Note that the old certificate is valid until the expiration date and you will receive email notifications until the old certificate expires or is revoked.
(See Section 6 for revocation of the certificate.)
  1. Check serial number (in decimal) and valid period of the expiring certificate.
    $ openssl x509 -in hostcert.pem -serial -dates -noout
    serial=3039
    notBefore=Mar 01 00:00:00 2019 GMT
    notAfter=Apr 01 00:00:00 2020 GMT
    $ printf "%d\n" 0x3039
    12345
    or
    $ echo "ibase=16; 3039" |bc
    12345

  2. Make a new directory and copy the current files into the directory with the different name.
    $ mkdir dirname
    $ cd dirname
    $ cp -p /somewhere/hostkey.pem _hostkey.pem
    $ cp -p /somewhere/hostcert.pem _hostcert.pem

  3. Rekey your certificate. Please don't forget to replace your_username with your username in the following example.
    $ /opt/kek/caclt/bin/certreq rekey -hcert -lic a_onetime_license_code -fqdn hostname -clkey _hostkey.pem -clcer _hostcert.pem 
    ------
Certificate DATA:
    serial number : 12345
    subject:
    C=JP, O=KEK, OU=CRC, CN=host/xxx,
    Validity
      Not Before: Mar 01 00:00:00 2019
      Not After : Apr 01 00:00:00 2020
  4. Choose "y" 
    do you re-key this certificate ? (y/n)[y]:
generate private key (size 4096 bits)
......................................................o
....................................................................o
-------------------------------------------
  creating a certificate signing request
-------------------------------------------
save a private key file : hostkey.pem
trying to connect RA server : rra01.kek.jp (11417)
request for issuing a re-keyed certificate ... ok.
save a CA certificate file : e7a6d5cc.0
save a certificate file : hostcert.pem
remove the CSR (unnecessary) : hostcert.p10
5.2. Revocation and Reissuance
You can revoke the old certificate and reissue new one with following steps:
  1. Revoke your previous certificate, according to section 6
  2. Request a new certificate, according to section 4

6. Revoking Certificates

There are two ways to revoke a certificate.
If the certificate already expired or you do not remember the passphrase, revoke it from your web browser, as described in section 6.2.

6.1. Using KEK GRID CA 2024 CLI

"certreq" command has a function to revoke a certificate.

Revocation using the CLI needs a set of files as below:

  • userkey.pem & usercert.pem
  • hostkey.pem & hostcert.pem
  • ldapkey.pem & ldapcert.pem

You need to specify relative/absolute file names if these are not in current working directory:

  1. Execute "certreq" with appropriate options

    $ /opt/kek/caclt/bin/certreq revoke -ucert -clkey userkey.pem -clcer usercert.pem
    or
    $ /opt/kek/caclt/bin/certreq revoke -hcert -clkey hostkey.pem -clcer hostcert.pem
    or
    $ /opt/kek/caclt/bin/certreq revoke -lcert -clkey ldapkey.pem -clcer ldapcert.pem 
    -------------------------------------------
  revoke a current user certificate
-------------------------------------------
Certificate DATA:
    serial number : 12345
    subject:
    C=JP, O=KEK, OU=CRC, CN=Test User, 
do you revoke this certificate ? (y/n)[y]:  
------
Set revocation reason >>
  unspecified(0), keyCompromise(1), cACompromise(2),
  affiliationChanged(3), superseded(4), cessationOfOperation(5),
  certificateHold(6), removeFromCRL(8), privilegeWithdrawn(9),
  aaCompromise(10)
select reason code (-1 means 'cancel') [0]: 
trying to connect RA server : rra01.kek.jp (11417) 
Input PASS Phrase: 
request for certificate revocation ... ok
success to revoke a certificate (sn:12345)

6.2. Using Web Browser

You can revoke an issued certificate at the KEK GRID CA 2024 service with a web browser.

  1. Visit User Enroll page with web browser.
  2. Type inputs following the prompt as needed.

Detailed procedures are illustrated in Revocation of User certificate and Revocation of Host certificate

i. Appendix A: Converting a Certificate

To import a certificate into browsers, the certificate should be in PKCS12 encrypted form.
You can convert the certificate by using openssl command as follows:
$openssl pkcs12 -export -legacy -in usercert.pem -inkey userkey.pem -out user.p12
where user.p12 is the name of your converted file.

In this command, you will be prompted for Pass Phrase and Export Password.
Pass Phrase is the pass phrase of your key file.
Export Password is the password for exporting the certificate to browsers.

The PKCS12 file can be converted to the PEM files by using the following openssl commands:
$openssl pkcs12 -in user.p12 -clcerts -nokeys -out usercert.pem
$openssl pkcs12 -in user.p12 -nocerts -out userkey.pem

ii. Appendix B: Import a Certificate to Browsers

This section shows how to import the certificate (in p12) to your browsers. Several combinations of major browsers and OSes are covered here.

= Microsoft Edge 134.0.3124.72 (Windows 11)

open Settings -> Privacy,search,and services -> Security -> Manage certificates
click import and enter the filename

= Firefox 136.0.2 (Windows 11)

open Settings -> Privacy & Security
under Certificates, click View Certificates ->Your Certificates
click import and enter the filename

= Firefox 128.9.0 (Linux)

open Settings -> Privacy & Security
under Certificates, click View Certificates ->Your Certificates
click import and enter the filename

= Chrome 134.0.6998.118 (Windows 11)

open Settings -> Privacy and security -> Security -> Manage Certificate -> Manage imorted certificates from Windows
click import and enter the filename

= Chrome 134.0.6998.117 (Linux)

open Settings -> Privacy and security -> Security -> Manage Certificate
click import and enter the filename

= Safari 18.1 (MacOS Sequoia)

Doubleclick your certificate file (.p12)
or
open Terminal (Application -> Utility -> Terminal), then type "open [your-cert-file (in .p12)]"

(Keychain Access is invoked,) enter the password (passphrase)
(With Keychain Access (Application -> Utility -> Keychain Access),
you should have the certificate in your login keychain.)

Powered by NAREGI CA Ver 3.3 User Enroll Service modified by KEK.