SiGNET LOGO

SiGNET CA Certification Authority

SiGNET Certification Authority provides X.509 certificates for identification, authentication, non-repudiation, data encipherment, message integrity and session key establishment purposes related to collaborative scientific, research and educational activities in Slovenia, most specifically Grid activities.

Eligible users and organizations include SiGNET partners and any entities formally based or having offices in Slovenia, and entities participating in projects based in Slovenia or collaborating with Slovenian organizations, for the use of cross-organizational communication and sharing of resources and information in the fields of research and/or education.

Specifically, SiGNET CA is involved with LCG (Large Hadron Collider Computing Grid http://lcg.web.cern.ch/LCG/) and EGEE (http://egee-ei.web.cern.ch/).

SiGNET CA is an accredited authority member of the EUGridPMA (The European Policy Management Authority for Grid Authentication in e-Science, http://www.eugridpma.org/). EUGridPMA coordinates a Public Key Infrastructure (PKI) for use with Grid authentication middleware. Accredited Authority Members of EUGridPMA recognize and accept other members' certificates in a network of trust. EUGridPMA distributes trusted root certificates of all accredited authority member certification authorities.

Fast pointers

If you do not know how to proceed, read Users's guide to SiGNET certificates.

If you need more information on PKI (public key infrastructure) and Grid, read the PKI introduction where the use of certificates and keys in SiGNET, EGEE and LCG is explained.

You must be familiar with the SiGNET CA policy documents (http://signet-ca.ijs.si/policy/). SiGNET CA/CPS contains user obligations that will apply to any user requesting a certificate.

In particluar, note that fist-time users need to present personal photo ID at SiGNET CA office (Jožef Stefan Institute, building J, room 314) before we can process your request. You should announce yourself using telephone or e-mail to avoid waiting present a filled-in form, permitting SiGNET CA to store your personal identification data. Your personal identification data will be stored off-line.

First-time users form: http://signet-ca.ijs.si/CA-formular.pdf

Further help for eligible users and organizations is available through signet-ca@ijs.si.

Everything clear? Proceed directly to SiGNET CA public web interface: http://signet-ca.ijs.si/pub/.

SiGNET Certification Authority Overview

Target audience

Research and educational institutes that use Grids and resource-sharing as part of inter-organizational projects: LCG, EGEE etc.

Validity

SiGNET CA is an accredited authority of the EUGridPMA. As such, it's certificates are recognized world-wide by the major Grid projects (EGEE, LCG). It is also accepted by most of the national Grid projects in Europe. Note that certificates issued by SiGNET CA have limited validity of one year.

Getting your own

A full account of terms and conditions for obtaining a production certificate is detailed on these pages. For the impatient, you can go directly to the web-based request form (over secure http): http://signet-ca.ijs.si/pub/. Please fill the forms carefully. Instructions for authentication when requesting a user certificate will be sent by e-mail.

For authentication, fist-time users need to present personal photo ID at SiGNET CA office (Jožef Stefan Institute, building J, room 314) before the request is processed. You should announce yourself using telephone or e-mail to avoid waiting and present a filled-in form, permitting SiGNET CA to store your personal identification data. Your personal identification data will be stored off-line.

First-time users form: http://signet-ca.ijs.si/CA-formular.pdf

Renewing

If your certificate is about to expire, you will be warned by an e-mail addressed to the same mailbox as the certificate was sent to. E-mail will contain information about renewing your certificate with minimal hassle.

Accepting certificates

For your browser to accept certificates issued by SiGNET CA, SiGNET CA root certificate must first be installed in the browser's certificate store, and you must enable it for the functions you want to allow (authentication, encipherment, non-repudiation etc.)

To download the SiGNET root certificate, you can use the web form interface at (http://signet-ca.ijs.si/pub/) or download it directly over http in a web browser-importable form from http://signet-ca.ijs.si/pub/cacert/signet02cacert.crt.

SiGNET CA root certificate is available in other forms over http or https:

Using SiGNET CA certificates on the Grid

To accept this CA on your grid resource, you must install SiGNET CA's root certificate (usually in the /etc/grid-security/certificates directory).

You can do that by installing a distribution package (such as RPM or deb) or by downloading the root certificate and a signing policy file.

Please see the relevant help pages for your Grid middleware implementation. Note that you likely want to install all EUGridPMA CAs. Sources for EUGridPMA CAs root certificates are listed at EUGridPMA's site: http://www.eugridpma.org/.

For Slovenian users, some documentation is available here: http://www.sling.si/users.html

Where is my certificate?

You an use the public interface to retrieve your certificate using your request number. A notification should have been sent to you when the certificate is ready. Note that the certificate does not include your private key - your key has been generated with your request and kept on your disk (in the browser's storage, if a browser was used). You need to retrieve the certificate with the same browser so that the private key can be stored with the certificate.

It is a good idea to check if your certificate is correct. First, if you want to check whether an issued certificate is not revoked, you should check the Certificate Revocation List or CRL. You should do that before you start relying on a certificate. Any compatible software package (and www browsers) should do that automatically since CRL distribution points are specified in certificates. To load the CRL in your web browser, use this URL: http://signet-ca.ijs.si/pub/crl/signet02cacrl.crl or https://signet-ca.ijs.si/pub/crl/signet02cacrl.crl for SSL security.

Of course, you should also make absolutely sure that the root certificate is correct. You can get SiGNET CA root certificate via the public web request form: http://signet-ca.ijs.si/pub/ or directly via http at http://signet-ca.ijs.si/pub/cacert/signet02cacert.crt or via https at https://signet-ca.ijs.si/pub/cacert/signet02cacert.crt.

You can check that independently via EUGridPMA. Distribution locations for root certificates are listed at EUGridPMA's site: http://www.eugridpma.org/.

Once you have your certificate chain in order, you should export or back-up your certificate to a secure location in encrypted form.

Notes and warnings

You must be familiar with the SiGNET CA policy documents (http://signet-ca.ijs.si/policy/). SiGNET CA/CPS contains user obligations that will apply to any user requesting a certificate. By requesting a certificate or by incorporating the SiGNET CA PKI or certificates into your authentication scheme, you accept to comply with the policy and user obligations associated with the use of the SiGNET CA and you agree to conditions of use, including the permission to store personal data about you and your organization.

Most notably, please make sure you generate your public-private key pair yourself (i.e. with OpenSSL or in your www browser), and that you keep your private key really private. In particular, you should not send your private key along with your request since that would automatically invalidate the key and the request. Possession of somebody's private key is enough for revoking said certificate.

Legalize

SiGNET CA aims to achieve a reasonable level of security, but its certification services are provided on a best-effort basis only, where the intended availability is continuous. SiGNET CA will not give any guarantees about the security or suitability of the service and provides no warranties, express or implied, including in respect of security and confidentiality, and of fitness for a particular purpose, for its procedures, repositories, databases and certificates, and will take no responsibility for problems arising from its operation, or for the use made of the certificates it provides; further, IJS, F9 IJS and SiGNET CA accept no liability for or in connection with the certification services and the parties using or relying on them shall hold IJS, F9 department and SiGNET CA free and harmless from liability resulting from such use or reliance; IJS, F9 IJS and SiGNET CA deny any financial or any other kind of responsibilities for damages or impairments resulting from SiGNET CA's operation.

See SiGNET CA CP/CPS for complete information: http://signet-ca.ijs.si/policy/.

Details

(C) 2004 SiGNET CA - Licenced under Creative Commons Licence V 2.0 (http://creativecommons.org/licenses/by/2.0/)