Who can get an x509 certificate
Every person with a legally binding relationship with the University of Oslo may obtain a certificate, if the reason for requesting one is reasonable. Check in bofh that the person is affiliated to UiO and his/her account is active.
Overview
Since April 2020 we no longer use DigiCert, but Sectigo to request certificates online.
The UiO users can login there through Feide with their own UiO-accounts. The portal also uses Feide to check if the user can request the certificate. The relevant people at USIT are able to give such rights to users. Frank Solem is UiO's administrator in the portal and can be contacted if something gets wrong with the functioning of the portal for UiO users.
In Cerebrum, user administration system at USIT/UiO, it is implemented in the following way. The users, that can request a certificate, receive an entitlement attribute with a special value. At the next export to Feide the user record will contain a new entitlement-attribute with this value. The portal, in turn, checks the presence and the values of entitlements in the user record, and if one of the entitlements contains the needed value -- the user is able to proceed with a certificate request.
In Cerebrum things are implemented in such a way that it is not possible to assign an entitlement to a user. It is only possible to assign an entitlement to a group. Then all users in this group will receive the assigned entitlement in their user records exported to Feide. If the user should not have the entitlement any more -- they should simply be removed from the group.
The detailed documentation about entitlements in Cerebrum (in Norwegian) can be found here.
Groups and entitlements in Cerebrum
For x509 managing purposes three groups were created in Cerebrum and assigned the following entitlements.
Group | Entitlement | Note |
---|---|---|
usit-fi-x509-admins | urn:mace:terena.org:tcs:escience-admin | Entitlement is of no effect right now, but is kept in case it will be used again in the future. |
usit-fi-x509-users | urn:mace:terena.org:tcs:escience-user | Entitlement enables to request eScience/grid certificates in the portal. |
usit-fi-x509-personal-users | urn:mace:terena.org:tcs:personal-user | Entitlement enables to request common personal certificates in the portal. |
x509 Admins group
usit-fi-x509-admins is the group for the administrators, that can enable users to request a certificate through the portal. The group is moderated by the department and group leaders in RC Department of USIT. The leaders in that department can add and remove users from the x509 admins group, thus giving/revoking from other users x509 admin rights.
The Local-IT group of USIT also possesses the administrative rights for this group. They should be contacted in case there are technical problems with the group. The Local-IT group can't decide and act on granting/revocation of x509 admin rights, only RC Department leaders can.
NB! RC Department leaders are not by default x509 admins! Only users from usit-fi-x509-admins group are x509 admins. If a RC-leader wants to be a x509 admin themself, they should add themselves to the x509 admin group.
x509 Users groups
usit-fi-x509-users and usit-fi-x509-personal-users are the groups for the users that have a right to request a certificate in the portal (eScience/grid and common personal certificates respectively). Members of usit-fi-x509-admins group can add or remove user to/from these groups, thus enabling them to request the certificate or revoking that right from them.
NB! There is absolutely no difference between the functionality of these two entitlements. Both give the user right to log in and request either Grid or usual certificate. The groups and entitlements are separated just for purposes of clarity and possible statistics/accounting.
Managing x509 admin rights
If you are one of the leaders in the RC Department, and want to delegate a UiO user x509 admin rights, just add the primary account of that user to usit-fi-x509-admins group. Execute in bofh:
jbofh> group add olenord usit-fi-x509-admins OK, added olenord to usit-fi-x509-admins
To revoke x509 admin rights from the UiO user, just remove their account from the group.
jbofh> group remove olenord usit-fi-x509-admins OK, removed 'olenord' from 'usit-fi-x509-admins'
It is needed to wait until the next user export to Feide for the changes to take effect. Usually the changes are applied within 1 hour.
Managing x509 user rights
If you are a x509 admin and want to grant the user the right to request a certificate, just add the primary account of that user to the user group. If the user needs to use grid services and thus needs eScience certificate -- use usit-fi-x509-users group. If the user instead needs a common personal certificate for digital signing/mail encryption/etc. -- use usit-fi-x509-personal-users Execute in bofh:
jbofh> group add olenord usit-fi-x509-users OK, added olenord to usit-fi-x509-users
To revoke the certificate request rights, just remove the user account from the group.
jbofh> group remove olenord usit-fi-x509-users OK, removed 'olenord' from 'usit-fi-x509-users'
It is needed to wait until the next user export to Feide for the changes to take effect. Usually the changes are applied within 1 hour.