For becoming fully operational, a Grid Node is also required to be a Certification Authority (CA) which issues digital certificates to users/hosts to use grid resources under secure environment.
PK-Grid-CA is a
Certification Authority managed by NCP which provides X.509 certificates to support the secure environment in grid computing. It issues User and Host Certificates to people and sites participating in grid computing in collaboration/partnership with NCP.
PK-Grid-CA Certification Authority
is working under European Grid Policy Management Authority
(EU-GRID-PMA).
The effort in this regard started in October 2003. NCP produced
the first Certificate Policy and Certification Practice
Statement (CP-CPS) document in December 2003 reviewed by several
members of
EU-GRID-PMA. After several revisions and useful
comments and suggestion by the PMA members the final version of the CP-CPS document was published in April 2004.
The details about the current and all previous versions of the PK-Grid-CA CP-CPS documents produced/published by NCP can be found at:
The NCP Certification Authority PK-GRID-CA was officially presented in the 2nd meeting of the EU-Grid-PMA held in Brussels, BELGIUM during September 23-24, 2004. Mr. Usman Ahmad Malik from NCP presented the CA and it was formally approved and accredited by the EU-Grid-PMA as a Certification Authority. The details of the meeting can be found at:
PK-Grid-CA had started operations since then. This
was the first and only Certification Authority in Pakistan at
that time.
Events
EU-Grid-PMA
meeting in Warsaw, Poland in May, 2005 was attended by
Mr. Sajjad Asghar, the PK-Grid-CA Manager.
EU-Grid-PMA
meeting in Karlsruhe, German in October, 2006 was
attended by Mr. Usman Ahmad Malik, the PK-Grid-CA
Manager.
The old root key for
PK-Grid-CA would expire on December 9, 2008. Hence no
certificate could be signed with it after December 8, 2007. A
new key pair valid till December 2017 consisting of 4096 bits
has been generated and sent to the PMA, and hence
distributed via the (International Grid Trust Federation) IGTF-release, and now two
root keys are
valid for PK-Grid-CA. The new certificate requests are being
signed by the new root key. For the moment both the root keys
are distributed an trusted on WLCG.
In December 2007, the
PK-Grid-CA team drafted the new
CP-CPS (1.1.2.0) based on the
structure suggested by RFC – 3647. After the approval of the
NCP management the new CP-CPS was sent to the EU-Grid-PMA
mailing list for approval
which was subsequently approved by the PMA in its
meeting in January 2008.
A member of PK-Grid-CA team
attended the PMA meeting in May 2008 in Copenhagen,
Denmark . There GPG keys were exchanged with the PMA
chair, Dr. David. L. Groep, who acts as a trust
introducer. Later on the signed root keys
were sent
to TERENA Academic CA Repository (TACAR), a trusted
repository which contains verified root-CA
certificates, which put both root keys of PK-Grid-CA into TACAR
repository after completing some formal procedures.
Self-audit for PK-Grid-CA
has been conducted to check compliance of CA operations with the
CP-CPS. The audit was conducted according to the "Audit
Guidelines Document" provided by the AP-Grid-PMA. The audit
report would be published on the NCP website soon.
PK-Grid-CA Managers:
Usman Ahmad Malik
Sajjad Asghar
So far 117 digital certificates have been issued to NCP, PAEC-I, PAEC-III and NUST, which include user and host certificates, the details are as follows:
Certificates Record
User Certificates Issued
63
Host Certificates Issued
54
Total Issued
117
Certificates Expired
57
Certificates Revoked
28
Current Active
Certificates
32
An online portal is available for certificate request where you can request for user and host certificates. You can request online for a digital certificate at:
A list of revoked certificates is maintained on regular basis for the relying parties so that they can check the validity of the certificate they are going to trust. This CRL contains the serial numbers of all the certificates that should no longer be trusted. CRL is issued every twenty three days or right after a certificate revocation.
The latest copy of the PK-GRID-CA CRL can be fetched from:
