XSEDE Certificates

As of July 2014, XSEDE uses the InCommon Certificate Service to provide SSL certificates for web and grid-based servers in the *.xsede.org domain. (If your server is in a different domain or you need a certificate for Globus "strict mode", look at Domains Other than xsede.org for possible help.) There are several types of SSL certificates available, described below.

But first, consider if you even need an XSEDE SSL server certificate. If you are simply transferring data between servers, you can use Globus Connect Multiuser (part of Globus Connect Server) which does not require server certificates. If you need a user certificate rather than a server certificate, use the XSEDE SSO Login Hub.

SSL Certificate Types

XSEDE provides several types of SSL certificates for servers in the *.xsede.org domain. Read the descriptions below to help you decide which type of server certificate you need. Note that for all certificate types, the default is to generate certificates with the SHA-2 algorithm. This is due to vulnerabilities found in the SHA-1 algorithm.

1. InCommon SSL Certificate

The InCommon SSL Certificate is a "standard" SSL server certificate for use with web servers. The certificate secures a single domain (e.g. foo.xsede.org), and can have a lifetime of 1, 2, or 3 years.

2. InCommon Wildcard SSL Certificate

The InCommon Wildcard SSL Certificate is a wildcard certificate for use with web servers. The certificate secures all hosts in a single subdomain level (e.g., *.foo.xsede.org), and can have a lifetime of 1, 2, or 3 years. Note that there are limitations with these wildcard certificates. They cannot be used to secure the base domain (e.g. foo.xsede.org) or deeper level subdomains (e.g. host.bar.foo.xsede.org). If these limitations apply to you, consider the InCommon Multi Domain SSL Certificate instead.

3. InCommon Multi Domain SSL Certificate

The InCommon Multi Domain SSL Certificate is for use with web servers on multiple domains. This is accomplished by specifying additional hostnames in the SubjectAltName (SAN) field of the SSL certificate. Up to 99 additional domains can be specified and secured by a single InCommon Multi Domain SSL Certificate. The certificate can have a lifetime of 1, 2, or 3 years.

4. IGTF Server Certificate

The IGTF Server Certificate is used primarily to secure a single server in HPC and grid computing environments. These certificates have a lifetime of 1 year. While these certificates can be used for web servers, their primary purpose is securing IGTF grid servers (e.g., GridFTP, GSISSH, GRAM, UNICORE). These certificates do not support wildcards or multiple domains.

5. IGTF Multi Domain Certificate

The IGTF Multi Domain Certificate is new for 2016. It is similar to the IGTF Server Certificate, but it allows for multiple domains by specifying additional hostnames in the SubjectAltName (SAN) field of the SSL certificate. Up to 99 additional domains can be specified and secured by a single IGTF Multi Domain Certificate. The certificate has a lifetime of 1 year.

Summary

CERTIFICATE TYPE AUDIENCE NUMBER OF HOSTS MAX LIFETIME
InCommon SSL
Certificate
Web Server 1 3 Years
InCommon Wildcard
SSL Certificate
Web Server Any (1 subdomain
only)
3 Years
InCommon Multi
Domain SSL Cert
Web Server Up to 100 3 Years
ITGF Server
Certificate
HPC / Grid
Server
1 1 Year
ITGF Multi Domain
Certificate
HPC / Grid
Server
Up to 100 1 Year

Next Step

Once you have decided on a certificate type for your server, you need to generate a Certificate Signing Request (CSR).

Key Points
Use this only for host certificate requests for the xsede.org domain.
Your local institution, if an InCommon member, should be able to issue IGTF-accredited certificates for your insitution's domain.
XSEDE does not issue long term user certificates.
XSEDE issued host certificates are for XSEDE Enterprise Services and XSEDE allocated resources.
Contact Information