- Projets & Groupes de travail
- Calcul scientifique
- E-Infrastructure for E-Science
- Cloud Computing
- Learning Infrastructure
- E-Identity
- Groupe de travail – ICT-Law
- Groupe de travail – Mail
- Groupe de travail – Media
- Groupe de travail – Réseau
- Groupe de travail – Achats IT
- Groupe de travail – Sécurité
- Groupe de travail – Stockage
How to request a SWITCHpki Grid Server certificate
This is an overview of the steps required to obtain a server certificate issued by QuoVadis, the recommended provider for SWITCHpki Grid certificates as of June 2009. The root certificates from QuoVadis are widely distributed and preinstalled in many operating systems and browsers.
Please notice that any questions/problems related to the issuance of a certificate, must be addressed to pki@switch.ch
1. Creating the key pair and the CSR (certificate signing request)
To create the key pair and the CSR, either use the respective option
in your server software, or generate it with a tool of your choice,
such as OpenSSL (available for many operating systems), certreq.exe
(on Windows), keytool (for Java applications) etc. There are only
two mandatory requirements applying to the CSR:
- the CN (commonName) attribute must include a fully qualified domain name
- it must include an RSA key with a size of at least 1024 bits.
2. Submitting the CSR
Submit the CSR through the SWITCHpki Grid server certificate request form. In step 1, paste your CSR into the text box and fill in the information about the technical contact. Finally, click the Check my input button.
The system then validates your input. It may issue warnings, but as long as no major errors are found, step 2 is shown, which asks you to confirm the submission of your request:
Complete the submission of your CSR by clicking the Submit Grid server certificate request button.
2b. First-time submissions only: registering your Trust/Link SSL account
The QuoVadis Trust/Link SSL system assigns an account to every subscriber (i.e., technical contact) who submits a request. Subscriber accounts are identified by their e-mail address, so when you submit a request with a tech contact address not yet known by the system, an account will automatically be created for you. At the same time you receive an e-mail message asking you to set the password for your Trust/Link SSL subscriber account. The URL in that mail expires after two weeks, so we recommend that you set your password at your earliest convencience.
3. Confirmation and verification of your request
After every successful submission of your CSR, you receive a confirmation by e-mail. Your request then needs to be confirmed by one of the SWITCHpki contact persons at your organization (the "certificate approvers"). They will automatically receive a challenge e-mail from QuoVadis, which they have to reply to.
4. Issuance of the certificate
An operator of the SWITCH RA will issue your certificate as soon as the confirmation by an authorized certificate approver of your organisation has been received (usually, this happens within one business day). When the certificate is ready, an e-mail with a URL for retrieving the certificate is sent to the subscriber (technical contact).
5. Installation/configuration of the certificate
To install the certificate, please refer to the documentation of your server software. Notice that it may be necessary to also also install the intermediate CA certificate QuoVadis Grid ICA. As an example, on a unix like system (e.g. linux) it is recommended to install the host certificate and private key (e.g. in the directory /etc/grid-security/) with the following permissions:
-r-------- 1 root root hostkey.pem
-rw-r--r-- 1 root root hostcert.pem
Do not hesitate to contact us at grid@switch.ch should you have any doubts on how to best protect your certificates/private keys.