Faculty of Computer Science - University of Indonesia
X509 is a standard certificate format used in Public Key Infrastructure. It contains several informations such as Subject (our identity), Issuer (our Certificate Authority identity), our public key, and of course Certificate Authority’s signature of the certificate. Globus Toolkit security is built on top this public key infrastructure scheme. If a user wants to access the GT service, he/she has to have a trusted certificate.
Before we can access the GT service, we have to create a proxy certificate. This is like a ticket when you want to enter a movie theater while your certificate is like an identity card (KTP). Your proxy certificate is basically an ordinary certificate that signed by you! Since your certificate is signed by the CA and GT trusts the CA, therefore your proxy certificate is also trusted by GT.
To create (sign) a certificate, we have to use our private key so we can create a signature (Signature is an encrypted hash of the certificate). In addition, to tighten the security, we can encrypt our private key using a symmetric encryption such as 3DES. So, if we want to use the private key, we have to enter the password/pass phrase to unlock the private key.
Globus Toolkit doesn’t provide a tool for changing our private key password. But, because GT’s simpleCA is basically just a wrapper of OpenSSL, we can use the OpenSSL tool directly to change the password.
openssl rsa -in userkey.pem -des3 -out userkey.pem.new
Replace the original
userkey.pem with our new
That command will read our private key file (
userkey.pem), unlock it, and write it again into new file (
usekey.pem.new). Since we put the
-des3 option, the newly written private key will be encrypted again. And we can use a different password! This is called changing the password isn’t it?