Security/ProxyFileFormat
From Globus
The Globus Toolkit expects files containing proxy credentials to be of the following format: PEM-encoded proxy certificate, followed by PEM-encoded private key, followed by one or more PEM-encoded certificates that form a chain from the proxy certificate to an end-entity certificate.
The PEM encoding is a base64 encoding of the DER encoding of the certificate and PKCS#1 RSAPrivateKey with additional header and footer lines.
The order of the PEM blocks in the file is significant. The proxy certificate must be first, followed by the corresponding private key, followed by the certificate chain starting from the next proxy and ending with the end entity certificate.
For example:
-----BEGIN CERTIFICATE----- MIICcDCCAhqgAwIBAgIEU6SeXjANBgkqhkiG9w0BAQQFADCBojENMAsGA1UEChME R3JpZDETMBEGA1UECxMKR2xvYnVzVGVzdDEmMCQGA1UECxMdc2ltcGxlQ0EtY2Fu dmFzLm5jc2EudWl1Yy5lZHUxFjAUBgNVBAsTDW5jc2EudWl1Yy5lZHUxEzARBgNV BAMTCkppbSBCYXNuZXkxEzARBgNVBAMTCjE3OTQxODMyNTgxEjAQBgNVBAMTCTYw OTUyMTIwNDAeFw0wODAzMTgxNDMwNTZaFw0wODAzMTgxNTM1NTJaMIG3MQ0wCwYD VQQKEwRHcmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSYwJAYDVQQLEx1zaW1wbGVD QS1jYW52YXMubmNzYS51aXVjLmVkdTEWMBQGA1UECxMNbmNzYS51aXVjLmVkdTET MBEGA1UEAxMKSmltIEJhc25leTETMBEGA1UEAxMKMTc5NDE4MzI1ODESMBAGA1UE AxMJNjA5NTIxMjA0MRMwEQYDVQQDEwoxNDAzMjk3Mzc0MFwwDQYJKoZIhvcNAQEB BQADSwAwSAJBAMc0n9W1E1KjK6saavXXZ/QhLjJ/TK40uW29l/wduSrHWCu1e5Kr 6r0Oi/4KEjhk8+sgH7b0uqlNdSGZUDXdui0CAwEAAaMhMB8wHQYIKwYBBQUHAQ4B Af8EDjAMMAoGCCsGAQUFBxUBMA0GCSqGSIb3DQEBBAUAA0EAYc1tdyGciLL8Jx7R uuBJM5mWXFAVx09nTPc5tI0ohKRpFYO8Y8gJf9tBa2K8L1EJVqDquSfV+HMAsCaJ BGcj2w== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIBOQIBAAJBAMc0n9W1E1KjK6saavXXZ/QhLjJ/TK40uW29l/wduSrHWCu1e5Kr 6r0Oi/4KEjhk8+sgH7b0uqlNdSGZUDXdui0CAwEAAQJAVRr/ek7tHW4GtwgHUFah 2+PdF8fZG8f8vIy2hQix1jspIMC542bylMgtdNQaHX0dWYUhaI5QKc6UXPYZddIV IQIhAOxVW8PKZEPYNpPT3rTk78Nm3jygQGbQQ9rlBtAJZeO1AiEA18hTfqLiwc4G QlfjrGG4EslNY8zW08viAHYri2lR95kCIHMXrrTO371aklmzmIWn6EvU0O3dbP+k 9Sao2oR9zyzxAiATN+9fzwgdNMlP7V4Ew2tOmQlAg0T69iS538x/DTFUuQIgSa6K GFZSjk6aA3Q7nD0y9WaamfIzalSKppElFbEk0Mc= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICRzCCAfGgAwIBAgIEJFSONDANBgkqhkiG9w0BAQQFADCBjjENMAsGA1UEChME R3JpZDETMBEGA1UECxMKR2xvYnVzVGVzdDEmMCQGA1UECxMdc2ltcGxlQ0EtY2Fu dmFzLm5jc2EudWl1Yy5lZHUxFjAUBgNVBAsTDW5jc2EudWl1Yy5lZHUxEzARBgNV BAMTCkppbSBCYXNuZXkxEzARBgNVBAMTCjE3OTQxODMyNTgwHhcNMDgwMzE4MTQz MDU1WhcNMDgwMzE4MTUzNTUyWjCBojENMAsGA1UEChMER3JpZDETMBEGA1UECxMK R2xvYnVzVGVzdDEmMCQGA1UECxMdc2ltcGxlQ0EtY2FudmFzLm5jc2EudWl1Yy5l ZHUxFjAUBgNVBAsTDW5jc2EudWl1Yy5lZHUxEzARBgNVBAMTCkppbSBCYXNuZXkx EzARBgNVBAMTCjE3OTQxODMyNTgxEjAQBgNVBAMTCTYwOTUyMTIwNDBcMA0GCSqG SIb3DQEBAQUAA0sAMEgCQQDEOBR2jLXIq5Exfe50eJ+1EibZqs1RMB1phqbWY4Hf AgdqzDU2EpOgMzxmto1Eq2YfJiqAnTEqKGzhhR5DYKUdAgMBAAGjITAfMB0GCCsG AQUFBwEOAQH/BA4wDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQQFAANBACBexIL+ TVyu0Bh0UUM89HhfYlNc+nxg7BRon6U2WTPKOo53Nllj+lV8EeqmFf12+zD68IKZ 8nG1HMR0OFkl5rw= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICXjCCAcegAwIBAgIEavEQWjANBgkqhkiG9w0BAQQFADB5MQ0wCwYDVQQKEwRH cmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSYwJAYDVQQLEx1zaW1wbGVDQS1jYW52 YXMubmNzYS51aXVjLmVkdTEWMBQGA1UECxMNbmNzYS51aXVjLmVkdTETMBEGA1UE AxMKSmltIEJhc25leTAeFw0wODAzMTgxNDMwNTJaFw0wODAzMTgxNTM1NTJaMIGO MQ0wCwYDVQQKEwRHcmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSYwJAYDVQQLEx1z aW1wbGVDQS1jYW52YXMubmNzYS51aXVjLmVkdTEWMBQGA1UECxMNbmNzYS51aXVj LmVkdTETMBEGA1UEAxMKSmltIEJhc25leTETMBEGA1UEAxMKMTc5NDE4MzI1ODBc MA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDA6ypSLoaTzE5K0agRfGOriDboI92RCWza fIInh24vMR9dwbwqu7D1ZkBoSc0VmWhX7ONy6+z9UV7oewsXdDKtAgMBAAGjITAf MB0GCCsGAQUFBwEOAQH/BA4wDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQQFAAOB gQA3aUG2Ej5KGcfCLrKOVr9DeVPVSufPn92jAICek/kiiv4rwJGoroQYyPzYPd4/ uPIXbQ9bG080zt37eMmAZrwDfieTisDRuTNweX4y23tlxN0Ob2VQ6i11Uc7E01NC la7dZEFMQAvG1g5mL7qrmXgZE6w7crS3lisF9qz6R6m82Q== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICazCCAdSgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBnMQ0wCwYDVQQKEwRHcmlk MRMwEQYDVQQLEwpHbG9idXNUZXN0MSYwJAYDVQQLEx1zaW1wbGVDQS1jYW52YXMu bmNzYS51aXVjLmVkdTEZMBcGA1UEAxMQR2xvYnVzIFNpbXBsZSBDQTAeFw0wNzA1 MzAxNDI5MjVaFw0wODA1MjkxNDI5MjVaMHkxDTALBgNVBAoTBEdyaWQxEzARBgNV BAsTCkdsb2J1c1Rlc3QxJjAkBgNVBAsTHXNpbXBsZUNBLWNhbnZhcy5uY3NhLnVp dWMuZWR1MRYwFAYDVQQLEw1uY3NhLnVpdWMuZWR1MRMwEQYDVQQDEwpKaW0gQmFz bmV5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvgJ/ADij832USceZyBoKq cCs4LqPKiNBerhpGdfRIq2eu08I9u3qKeKBNxabflCMgMnYnKIGRxLAbQDH1Z2Io mopW9eF25zm6aupU0e08U0y1F36gB+b0wSl71uMZtrTYE+Wb3woLFT+jcnxgvi5X +gxlgdNp4BVZUl28FrEuowIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJ KoZIhvcNAQEEBQADgYEAiVhf6rWOtE96vRRvJh/saLB+oKjBEw3CWac7XLIDQ6ic F/pxGWjumJMwgmwA+g1OmMqKA2YuproRPZCwJgfwzChAKDKo6HJ9IQRgX1IjXBXh 4td1Y+3zag2BfjuZqje768Es4SePCq+Zfd3YJyr3ydN8wqnCrhX8GEQrg+BPBmw= -----END CERTIFICATE-----
The example above contains:
- RFC 3820 proxy certificate with Subject: O=Grid, OU=GlobusTest, OU=simpleCA-canvas.ncsa.uiuc.edu, OU=ncsa.uiuc.edu, CN=Jim Basney, CN=1794183258, CN=609521204, CN=1403297374
- private key corresponding to the above proxy certificate
- RFC 3820 proxy certificate with Subject: O=Grid, OU=GlobusTest, OU=simpleCA-canvas.ncsa.uiuc.edu, OU=ncsa.uiuc.edu, CN=Jim Basney, CN=1794183258, CN=609521204
- RFC 3820 proxy certificate with Subject: O=Grid, OU=GlobusTest, OU=simpleCA-canvas.ncsa.uiuc.edu, OU=ncsa.uiuc.edu, CN=Jim Basney, CN=1794183258
- RFC 3280 end entity certificate with Subject: O=Grid, OU=GlobusTest, OU=simpleCA-canvas.ncsa.uiuc.edu, OU=ncsa.uiuc.edu, CN=Jim Basney
See also Security/ProxyCertTypes.

