XSEDE Certificates
As of July 2014, XSEDE uses the InCommon Certificate Service to provide SSL certificates for web and grid-based servers in the *.xsede.org domain. (If your server is in a different domain or you need a certificate for Globus "strict mode", look at Domains Other than xsede.org for possible help.) There are several types of SSL certificates available, described below.
But first, consider if you even need an XSEDE SSL server certificate. If you are simply transferring data between servers, you can use Globus Connect Multiuser (part of Globus Connect Server) which does not require server certificates. If you need a user certificate rather than a server certificate, use the XSEDE SSO Login Hub.
SSL Certificate Types
XSEDE provides several types of SSL certificates for servers in the *.xsede.org domain. Read the descriptions below to help you decide which type of server certificate you need. Note that for all certificate types, the default is to generate certificates with the SHA-2 algorithm. This is due to vulnerabilities found in the SHA-1 algorithm.
1. InCommon SSL Certificate
The InCommon SSL Certificate is a "standard" SSL server certificate for use with web servers. The certificate secures a single domain (e.g. foo.xsede.org), and can have a lifetime of 1 or 2 years.
2. InCommon Wildcard SSL Certificate
The InCommon Wildcard SSL Certificate is a wildcard certificate for use with web servers. The certificate secures all hosts in a single subdomain level (e.g., *.foo.xsede.org), and can have a lifetime of 1 or 2 years. Note that there are limitations with these wildcard certificates. They cannot be used to secure the base domain (e.g. foo.xsede.org) or deeper level subdomains (e.g. host.bar.foo.xsede.org). If these limitations apply to you, consider the InCommon Multi Domain SSL Certificate instead.
3. InCommon Multi Domain SSL Certificate
The InCommon Multi Domain SSL Certificate is for use with web servers on multiple domains. This is accomplished by specifying additional hostnames in the SubjectAltName (SAN) field of the SSL certificate. Up to 99 additional domains can be specified and secured by a single InCommon Multi Domain SSL Certificate. The certificate can have a lifetime of 1 or 2 years.
4. IGTF Server Certificate
XSEDE can issue IGTF certificates for hosts in XSEDE owned domains, *.xsede.org.. See Certificate Signing Page for information on generating a Certificate Signing Request (CSR).
The IGTF Server Certificate is used primarily to secure a single server in HPC and grid computing environments. These certificates have a lifetime of 13 months. While these certificates can be used for web servers, their primary purpose is securing IGTF grid servers (e.g., GridFTP, GSISSH, GRAM, UNICORE). These certificates do not support wildcards or multiple domains.
5. IGTF Multi Domain Certificate
The IGTF Multi Domain Certificate is new for 2016. It is similar to the IGTF Server Certificate, but it allows for multiple domains by specifying additional hostnames in the SubjectAltName (SAN) field of the SSL certificate. Up to 99 additional domains can be specified and secured by a single IGTF Multi Domain Certificate. The certificate has a lifetime of 13 months.
Summary
| CERTIFICATE TYPE | AUDIENCE | NUMBER OF HOSTS | MAX LIFETIME |
|---|---|---|---|
| InCommon SSL Certificate | Web Server | 1 | 2 Years |
| InCommon Wildcard SSL Certificate | Web Server | Any (1 subdomain only) | 2 Years |
| InCommon Multi Domain SSL Cert | Web Server | Up to 100 | 2 Years |
| ITGF Server Certificate | HPC / Grid Server | 1 | 13 Months |
| ITGF Multi Domain Certificate | HPC / Grid Server | Up to 100 | 13 Months |
Next Step
Once you have decided on a certificate type for your server, you need to generate a Certificate Signing Request (CSR).