Taking the time to read up on the GridShib CA and MyProxy CA was very useful. They and phpki ultimately all are backened by an openssl configuration so in a sense are compatible with each other. The decision to use one over the other seems to mainly be about where one stores a cert and how one can retreive it. The GridShib CA has a great way of creating certs that are truely private (client-based key) so I'm guessing there is not a key store in GridShib CA. MyProxy CA would seem to have a keystore since it's backended by Simple CA. This makes it like phpki except that the interface is command-line versus web.
IMPORTANT SimpleCA Storage LOCATIONS
The private key of the CA is stored in /root/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in /root/.globus/simpleCA//cacert.pem
The distribution package built for this CA is stored in
This file must be distributed to any host wishing to request
certificates from this CA.
Need a server cert that has no password. Commands are:
(1) change directory into the grid-security directory: cd /etc/grid-security
(2) Generate the server key (with password): openssl genrsa -des3 -out server.key 1024
(3) Generate certificate *without a password*: openssl rsa -in server.key -out server.pem
(4) Create CSR (Certificate Signing Request) to affirm that the server key is valid. The server.pem is used in place of server.key as we don’t require a password:
openssl req -new -key server.pem -out server.csr
The information you are about to be asked to enter information will be incorporated into your certificate request as the Distinguished Name or a DN of the signed cert. [ If you enter ‘.’, the field will be left blank ]
Some of the PHP debug functions like debug_print_backtrace are only supported in PHP 5 which is not the PHP version with our current configuration. However, Some of other debug functions like debug_backtace, error_log etc are supported in PHP 4.3.0 and above and these functions work with the present configuration setting of PHP and Apache server.
Checkout uabgridca project from metric. It's best to check this out
into your local web development space (eg. public_html) in order to run
cvs co uabgridca
Setup symbolic links to reflect a post-setup configured environment:
Create a user account system to define usernames. uabgridca leverages
web server authentication and the REMOTE_USER environment to identify
users and create certificates. Users cannot enter their own values for
key certificate fields.
htpasswd -s phpkipasswd
Secure the CA for developer user. Note: this is not "secure". It
this error is vague message that indicates the attempt to create a
certificate for a signing request is for a dn that already exists in the
CA's assigned certificate, i.e. it's been signed before.
ok, there is as simple ca on the web which looks to be a tcl wrapper with
a tk gui around the openssl functions. simpleca is also used with globus
(and now distributed with it in v3.2+). this seems to simply be a
collection of simplified command line tools for openssl (may be the same
simple ca that has the tk interface). in any case, these are not tools for
providing a web interface.
there seems to be two projects http://openca.org and
http://phpki.sourceforge.net . openca definitely looks more complete but
it may be over kill for now and have certain operational assumptions that
OpenCA is now Running. It will still take some time to integrate it with our Grid infrastructure.