Joel Schneider wrote:
For its certificate authority (CA), our institution is using Microsoft
Certificate Services (MSCS) in its production environment. Our
intention is to use this CA to issue certificates for use with Globus.
Microsoft Certificate Services uses "Certificate Templates" to define
the attributes for certificate types. Below is a link to an article
about Windows 2000 Certificate Services (hopefully still relevant) which
covers the topic of Certificate Templates:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dscj_mcs_gfrr.mspx
Some additional information ...
Here's a document which, among other things, describes steps for using
MMC to create a new Certificate Template for Microsoft Certificate
Services.
http://www.carillon.ca/library/ms_testca_howto_1.0.pdf
On page 21, it lists steps such as this:
- Open the Certificate Templates plug-in from the MMC
- Right-click on (existing) template and select 'Duplicate'
- Rename the duplicate
- Under the General Tab ... select validity period
- Under the Extensions Tab ... configure key usage (Digital
Signature, etc.)
- Import the new Template into the Certificate Authority
Another document describes the extensions used by the EUROGRID
Certification Authority for end entity certificates.
http://www.eurogrid.org/ca/eurogrid-ca-policy.pdf
On page 7, it describes the EUROGRID end entity certificate extensions
as follows:
- basicConstraints is set to CA:FALSE for all end entities
(this is as before)
- keyUsage is set to keyAgreement, dataEncipherment,
keyEncipherment, and digitalSignature for all end
entities.
- extendedKeyUsage is set to serverAuth and clientAuth for
all entities, with codeSigning, emailProtection, and
timeStamping also being provided in User certificates.
The EUROGRID profile appears compatible with the OGF Grid Certificate
Profile (http://www.ogf.org/documents/GFD.125.pdf).
The "Web Server" certificate (issued by Microsoft Certificate Services)
which I had been using as a client-side user certificate with Java WS
Core 4.0.5, is missing several of the extensions mentioned by the
EUROGRID profile, including keyAgreement, clientAuth, codeSigning,
emailProtection, and timeStamping.
At this time, I plan to work with our sysadmins to add a Certificate
Template to our Microsoft Certificate Services system which essentially
mimics the EUROGRID profile. Re-issuing the user certificate using the
new template will hopefully solve our connectivity problem with 4.0.7.
Best regards,
Joel
