[Go to /]

Production CA

DutchDemo CA
Request certificate
List of issued certs

Root certificate

EDG Tutorial

NE/Benelux Tutorial

Test-Low CA



DutchGrid worthless DEMO CA Information

The DutchDemo CA has been discontinued, this information is for historical and archival purposes only

This page is pertinent only to the worthless DEMO CA (DutchDemoCA) operated by the DutchGrid and NIKHEF Certification Authorities. This CA was established explicitly for extremely light-weight authentication, for example for demonstration use with machines not normally connected to a network, or for student courses where a more stringent authentication method would induce unacceptable delays.

The policy of the DutchDemoCA is derived from the medium-security CP/CPS, with the exception that no proper authentication is done. For the policy, see this url. This has the side effect that the certificates issued by the "Worthless Demo CA" are largely worthless in a European context. Plase make sure a DemoCert is accepted by your favourite resource before applying for such a certificate.
If you want certification in the context of the EU DataGrid project, you must apply for a medium-security certificate.

Target audience The DutchDemo "worthless" CA is a light-weight authority for use by students on the educational/research DAS-2 Grid infrastructure. It can also be used for tradeshow and demonstrator purposes.
Validity The DutchGrid "demo" is a worthless certification authority and not trusted anywhere in Europe. It is, however, accepted on the ASCI "DAS-2" system and some personal laptops.
Getting your own You can use the the web-based request form (also available over secure http). Be sure to select demo level certification in the radiobutton at the bottom of the form. Use your institutional email address, and send the mail from a system within your organisational network to be eligible for certification.
Renewing Your certificate is valid for 180 days. If you want to renew, you have to send a brand-new email using the script generated by the request form interface.
You will not be warned about an expiring certificate!
Accepting certificates You should not accept demo certificates in your browser or on your web site.
Using this on the Grid To accept this CA on your grid resource, you must install the CA's root certificate in the /etc/grid-security/certificates directory. You can do that via installing an RPM, or by downloading the root certificate and a signing policy file.
Do not install the root cert on valuable resources!
Where is my cert? See the list of all issued certificates.
Is this certificate correct? This could apply to two different things. First, if you want to check whether an issued certificate is not revoked, you should check the Certificate Revocation List or CRL. You should do that before any reliance on a certificate.
Secondly, there is no independent check of the root cert validity.
Notes and warnings By requesting a certificate or by incorporating the DutchGrid/NIKHEF CA cert into your authentication scheme, you accept to comply with the policy associated with the use of the DutchGrid/NIKHEF CA. The DutchGrid/NIKHEF CA is run on a best-effort basis only and declines any responsibility for damages, including indirect or consequential damages, arising out of the use of the DutchGrid/NIKHEF CA certificates. The demo policy is detailed here.
Details Details on the DutchDemo CA (root cert, directory, signing policy and tar-ball)


If you want to apply for a Demo certificate, please follow the guide in the User Help pages, and in the final stage request "Demo" certification.

Worthless DutchDemo CA Information Summary

CA name/hash DutchDemo worthless CA 75304a28
CA end-user request information not yet available  
CA Globus configuration tar-file packed tar file
CA issued certificates in HTML list format
CA certificate PEM formatted file
RPM package
TAR.GZ package
CA certificateRevocationList PEM format  
CA Policy policies (current and previous)  
Cert Requests Build-a-Cert web interface Site specific manuals, see
DutchGrid per-organization web site

Worthless DutchDemo CA Policy (CP/CPS)

The following section from the medium-security CP/CPS do not apply for the Worthless DutchDemo CA:

  • 1.2 (Identification) - the DEMO CA has no OID
  • 1.3.1 (Cert authorities) - the DEMO CA may issue certs automatically
  • (Online repositories) - URLs may be different or non-existant
  • 2.4.2 (Severability...) - the DEMO CA has NO severability etc.
  • 2.7 (Compliance audit) - there shall be no auditing
  • 3.1.4 (Uniqueness of names) - certificates issued by the DEMO CA may be re-certified under the medium-security policy, but not the other way round
  • 3.1.7 (Possession of private key ) - no stipulations
  • 3.1.8 (Authentication of organisation identity) - no stipulation
  • 3.1.9 (Authentication of individual identity) - no stipulations
  • 4.1 (Certificate Application) - the maximum life time shall be 180 days
  • 4.5 (Security Audit Procedures) - no stipulation for entire section
  • 4.6 (Records Archival) - no stipulation for entire section
  • 4.8.1 (Computing resources ...) - no stipulations
  • 5.1.1 (Site location ...) - The CA machine can be any desktop at NIKHEF that is capable of reading the ZIP disk with the CA archive and CA private key
  • 5.1.2 (Physical access) - the medium with the CA private data will be in a locked room accessible only by NIKHEF personnel
  • 6.1.1 (Key pair generation) - the system is not disconnected
  • 6.1.5 (Key sizes) - the DEMO CA key is 1024 bits
  • 6.2.4 (Private key backup) - there is no securely controlled environment
  • 6.2.6 (Private key entry...) - the pass phrase is more than 8 characters
  • 6.3.2 (The root certificate will expire on March 2, 2011
  • 6.4.1 (Activation data) - no stipulation
  • 6.5.1 (Specific computer security...) - the CA machine is connected to a network, the key pair is kept on removable media only
All other section of the Medium-security CP/CPS apply in full to the DutchDemo CP/CPS.