GridShib Certificate Registry

The GridShib Certificate Registry is a persistent registry of X.509 certificates. The Certificate Registry is protected by the same local authentication service as the Shibboleth SSO service. Grid users authenticate and register their X.509 end-entity certificates with the Registry, which binds the user's principal name to the certificate. Later, when a Shibboleth Attribute Authority responds to a query from a GridSP, the AA uses this binding to map the Subject DN to a principal name.

To register a certificate, a Grid user either uploads a file (PEM format) or copy-and-pastes a base64-encoded certificate string into a textarea. (See the attached user interface.) Any number of certificates may be registered in this way. The user may unregister a certificate at any time.

Since an X.509 certificate has a predetermined lifetime, the Registry can be purged of expired certificates periodically. Also, when the AA attempts to map a DN to a principal name, the GridShib Name Mapper checks the lifetime and removes the certificate if it has expired.

Note: Currently, the Certificate Registry is distributed with GridShibForShibboleth.