[Go to /]

DCA Root Service
DCA Root CA G1

Trusted Certificate Service TCS
Request your instant cert now
Guide and help

Production CA (MS)
Overview
Manage Your Certificates
  (for non TCS users)

Find a local registrar

Classic interface
Help with your request
Host certificate requests
Submit your request
Download your certificate
Renew your certificate
Request revocation

Reliance information
Policy Statement
Reliance Information

NL e-Infra Zero
(training services)


Documentation
Certificate Request Guide
Change a passphrase
RA OpsGuide
OpenSSL for Windows
eToken Guide

Links
EUGridPMA
IGTF
TACAR


switch to print layout

DutchGrid CA Rekey Information

Notice
Renewal is only applicable for medium-security certificates. If you have lost your private key, or if your certificate has since expired, you will need to re-apply via the regular Request form for generating a new request and registration form. Alternatively you can request a new personal certificate using the jGridstart certificate management tool or download the applications forms for users or for hosts and servers here if needed. Please fill them completely and bring them to your RA.


You can request routine rekeying of your Medium-security DutchGrid certifation via the integrated certificate management tool jGridstart or by signed electronic mail. This e-mail must then contain a new certificate request, with the same subject name as the previous certificate but with a new key pair. Renewing your certification using the old key pair is not possible under the medium-security policy. The e-mail must be digitally signed by your "old" private key and be in the S/MIME format. Your old certificate should NOT yet have expired!

Alternatively, for host and server certificates via generation of a signed e-mail, you can use the dca-rekey-pack.sh shell script. This script requires the presence of an OpenSSL executable for your platform, and a basic set of file utilities (sed, rm, date, hostname, a Bourne shell compatible sh and a SysV compatible echo). You will have to mail the text to the CA using your own favourite mail client...

Important: you have to manually send or upload your renewal request. This is not done automatically! Once you have submitted your request, you will receive an automatic confirmation email within a few minutes. If you did not get this email, please send or submit your renewal request again.

The syntax is then (almost) trivial:

  dca-rekey-pack.sh [-d targetdir] 
        [-o prefix] [-b bits] [-k oldkeyfile] oldcert

  -d targetdir        directory where all new files will end-up
                      (default: .)
  -o prefix           string to use as a prefix for all generated files
                      (default: "new")
  -b bits             number of bits for key pair
                      (default: 2048)
  -k oldkeyfile       filename of existing private key file in PEM format
                      (default: same name as certfile, with "cert"->"key")
  
  oldcert             filename of existing certificate in PEM format
So, you you want to renew your existing Globus certification, try the following commands:
  dca-rekey-pack.sh -d .globus .globus/usercert.pem
  (or for the old script renewcert-dutchgrid.sh -d .globus .globus/usercert.pem)

  lots of blah-blah and passphrase typing
  *** use to following command to mail it, but do not modify the
  *** contents of the e-mail!

  You have successfully generated your renewal (rekeying) request.
  The renewal (rekeying) request is stored in the file 2007//newrekeypack.txt,
  and you must now do either of the following:
  - send file .globus/newrekeypack.txt by e-mail to ca@dutchgrid.nl, preferably
    IN-LINE and not as an attachment (use copy-paste please)
  - upload the file .globus/newrekeypack.txt using the renewal web interface at

    http://ra.dutchgrid.nl/ra/public/submit

  Your rekey request will be sent to your RA for acknowledgement,
  so please be patient while your RA processes your request.

     Thank you for using the DutchGrid CA Service.

Important: you have to manually send or upload your renewal request. This is not done automatically! Once you have submitted your request, you will receive an automatic confirmation email within a few minutes. If you did not get this email, please send or submit your renewal request again.

Note that if you don't have sendmail, you could try using the "mail" program instead, but the web interface is more user-friendly.

Wait some time for cert to come back in e-mail, and save mail as .globus/newcert.pem. Now it's time to exchange your "old" set of keys for the new ones in one go:

  cd $HOME/.globus
  mv usercert.pem old_usercert.pem
  mv userkey.pem old_userkey.pem
  mv newkey.pem userkey.pem
  mv newcert.pem usercert.pem
and to renew your proxy if needed.

Please note that DutchDemo certificates are not elegible for rekeying.