BEgrid CA info
BEGrid CA homepage
Contact: gridca@belnet.beNOSPAM
BEGrid Certification Authority
- The full BEgrid CA policies and procedures: pdf-version, html-version
- How to ask a user certificate via the web ? pdf-version, wiki
- How to request a server certificate? Server certificate
- Un*x batch tool to generate proper BE-Grid CSR. begrid-gencsr.tar.gz
- Request a BEgrid certificate with a Un*x batch tool
crl_url=http://gridra.belnet.be/pub/crl/cacrl.pem
CA Alias: BEGrid Hash: 03aa0ecb
Info on differences between the certificates formats *.pfx *.p12*.cer *.crt *.spc *.p7b
pfx, p12
These are PKCS #12 container files, DER encoded. They contain not only certificates, but also private keys in encrypted form. More information on PKCS: http://www.rsasecurity.com/rsalabs/. You can find there an introduction to BER/DER also.
CER
This is an X.509 certificate in binary form, DER encoded. [Distinguished Encoding Rules (DER), is a message transfer syntax specified by the ITU in X.690. It is a method for encoding a data object such as an X.509 certificate, to be digitally signed or to have its signature verified.]
CRT
This is a binary X.509 certificate, encapsulated in text (base-64) encoding.
p7b
This is a PKCS #7 file. PKCS #7 is a container which may contain plain data, signed data, encrypted data, or combination of these. It may also contain set of certificates needed to validate the certification chain. One of possible uses of PKCS #7 is, for example, recertification request -- PKCS #10 certification request encapsulated as plain data in PKCS #7 Signed Data.
Convert between key types
Quattor Client certificate (p12 with passphrase to p12 without passphrase)
When you requested a new certificate for your QC, your browser will generate a private key. When the request has been authorized, you can import the certificate in your browser, and use the browser's functionality to export (or backup) to a p12 file. We name this file quattor_browser.p12 - a passphrase of minimal length of 4 characters will be required...
Copy the file to your Quattor Client in CB6/keys, to process (remove the passphrase):
- openssl pkcs12 -in quattor_browser.p12 -out quattor.pem -nodes
- openssl pkcs12 -export -in quattor.pem -inkey quattor.pem -out quattor.p12
Et voila!
Known issues with certificates requests
April 2008: IE7 in Vista
Changes in the way Microsoft enrolls certificates in their latest operating systems (including Vista) lead to an incompatibility when using the OpenCA software that is currently used by BELNET to issue the BEgrid certificates.
More details can be found in this article by Microsoft's TechNet division: http://technet2.microsoft.com/WindowsVista/en/library/73bdca07-a9f0-40d7-a26e-6f4f11759e4c1033.mspx?mfr=true
The BEgrid CA recommend to users to use a different web browser on their Windows Vista machine, namely Firefox 3.
May 2008: Warning: possible weak keys due to vulnerability in Debian PseudoRandom Number Generator
The random number generator in Debian's openssl is annouced to be predictable. This could lead to cryptographic key material being guessable through a brute-force attack given minimal knowledge of the system [ http://metasploit.com/users/hdm/tools/debian-openssl/]. The BEgrid CA recommend to users to use non-Debian based operating system to request their user or host certificates.
