List of issued certs
switch to print layout
DutchGrid worthless DEMO CA Information
|The DutchDemo CA has been discontinued, this information is for historical and archival purposes only|
This page is pertinent only to the worthless DEMO CA (DutchDemoCA)
operated by the DutchGrid and NIKHEF Certification Authorities.
This CA was established explicitly for extremely light-weight
authentication, for example for demonstration use with machines not
normally connected to a network, or for student courses where a
more stringent authentication method would induce unacceptable delays.
The policy of the DutchDemoCA is derived from the medium-security
CP/CPS, with the exception that no proper authentication is
done. For the policy, see this url.
This has the side effect that the certificates issued by the
"Worthless Demo CA" are largely worthless in a European context. Plase
make sure a DemoCert is accepted by your favourite resource
before applying for such a certificate.
If you want certification in the context of the EU DataGrid project,
you must apply for a medium-security certificate.
||The DutchDemo "worthless" CA is a light-weight authority for
use by students on the educational/research DAS-2 Grid
infrastructure. It can also be used for tradeshow and
||The DutchGrid "demo" is a worthless certification authority
and not trusted anywhere in Europe. It is, however, accepted
on the ASCI
"DAS-2" system and
some personal laptops.
|Getting your own
||You can use the
the web-based request form (also available
secure http). Be sure to select demo level certification
in the radiobutton at the bottom of the form. Use your institutional
email address, and send the mail from a system within your
organisational network to be eligible for certification.
||Your certificate is valid for 180 days. If you want to
renew, you have to send a brand-new email using the
script generated by the request form interface.
You will not be warned about an expiring certificate!
||You should not accept demo certificates in your browser or
on your web site.
|Using this on the Grid
||To accept this CA on your grid resource, you must install
the CA's root certificate in the
/etc/grid-security/certificates directory. You can
do that via installing an
RPM, or by downloading the
root certificate and a signing
Do not install the root cert on valuable resources!
|Where is my cert?
||See the list of all issued certificates.
|Is this certificate correct?
||This could apply to two different things. First, if you
want to check whether an issued certificate is not revoked, you
should check the Certificate
Revocation List or CRL. You should do that before
any reliance on a certificate.
Secondly, there is no independent check of the root cert validity.
|Notes and warnings
By requesting a certificate or by incorporating the
DutchGrid/NIKHEF CA cert into your authentication scheme, you
accept to comply with the policy associated with the use of the
DutchGrid/NIKHEF CA. The DutchGrid/NIKHEF CA is run on a
best-effort basis only and declines any responsibility for
damages, including indirect or consequential damages, arising out
of the use of the DutchGrid/NIKHEF CA certificates. The
demo policy is detailed here.
||Details on the DutchDemo CA
(root cert, directory, signing policy and tar-ball)
If you want to apply for a Demo certificate, please follow the
guide in the User Help pages, and
in the final stage request "Demo" certification.
Worthless DutchDemo CA Information Summary
Worthless DutchDemo CA Policy (CP/CPS)
The following section from the medium-security CP/CPS do not
apply for the Worthless DutchDemo CA:
All other section of the Medium-security CP/CPS apply in full to
the DutchDemo CP/CPS.
- 1.2 (Identification) - the DEMO CA has no OID
- 1.3.1 (Cert authorities) - the DEMO CA may issue certs automatically
- 126.96.36.199 (Online repositories) - URLs may be different or non-existant
- 2.4.2 (Severability...) - the DEMO CA has NO severability etc.
- 2.7 (Compliance audit) - there shall be no auditing
- 3.1.4 (Uniqueness of names) - certificates issued by the DEMO CA may
be re-certified under the medium-security policy, but not the
other way round
- 3.1.7 (Possession of private key ) - no stipulations
- 3.1.8 (Authentication of organisation identity) - no stipulation
- 3.1.9 (Authentication of individual identity) - no stipulations
- 4.1 (Certificate Application) - the maximum life time shall be 180 days
- 4.5 (Security Audit Procedures) - no stipulation for entire section
- 4.6 (Records Archival) - no stipulation for entire section
- 4.8.1 (Computing resources ...) - no stipulations
- 5.1.1 (Site location ...) - The CA machine can be any desktop at NIKHEF
that is capable of reading the ZIP disk with the CA archive and
CA private key
- 5.1.2 (Physical access) - the medium with the CA private data will be
in a locked room accessible only by NIKHEF personnel
- 6.1.1 (Key pair generation) - the system is not disconnected
- 6.1.5 (Key sizes) - the DEMO CA key is 1024 bits
- 6.2.4 (Private key backup) - there is no securely controlled environment
- 6.2.6 (Private key entry...) - the pass phrase is more than 8 characters
- 6.3.2 (The root certificate will expire on March 2, 2011
- 6.4.1 (Activation data) - no stipulation
- 6.5.1 (Specific computer security...) - the CA machine is connected to
a network, the key pair is kept on removable media only