Install the DataONE client side certificate

In addition to acting as servers in the DataONE infrastructure, Member Nodes also act as clients, initiating connections to other Nodes. When connecting to other Nodes, Member Nodes authenticate themselves in a process called client side authentication, in which a client side certificate is provided to the server.

Obtain the client side certificate

Client side certificates for MNs are issued by the DataONE CA. MNs go through a testing phase before being registered in the DataONE production environment used by the public, so DataONE will first issue a test certificate to your node. The test certificate is valid only in DataONE’s test environments. When the MN is ready to join the production environment, DataONE will issue a production certifiate for your node. The certificates are valid for several years and are linked to your MN via their DNs.

To obtain a client side certificate for testing:

  1. Work with DataONE to determine a Node ID on the form, urn:node:NODEID, for your node.

  2. Create an account on the DataONE Registration page,

  3. Notify DataONE by sending an email to support@dataone.org. In the email, state that you are requesting a client side certificate for a new MN and include the agreed upon Node ID, on the form urn:node:NODEID.

  4. DataONE will create the certificate for you and notify you of its creation with a reply to your email.

  5. Follow the link provided in the email, and sign in using the account created or used in the first step, above.

Warning

Anyone who has the private key can act as your Node in the DataONE infrastructure. Keep the private key safe. Set it to be readable only by root and follow best practices for security to keep root from being compromised. If your private key becomes compromised, please inform DataONE so that the certificate can be revoked and a new one generated.

Install the client side certificate

When the signed client side certificate has been received from DataONE, move it and its private key to the /var/local/dataone/certs/client folder.

Rename the files to client_cert.pem and client_key.pem.

Remove the password from the key:

$ cd /var/local/dataone/certs/client
$ sudo openssl rsa -in client_key.pem -out client_key_nopassword.pem
$ sudo chown root:root client_key.pem client_key_nopassword.pem
$ sudo chmod 400 client_key.pem client_key_nopassword.pem

Other names and/or directories may be used. If so, update CLIENT_CERT_PATH and CLIENT_CERT_PRIVATE_KEY_PATH in the GMN settings.py file to the new paths.