Instructions to agents of the PPDG Registration Authority

Steps in Agent workflow to approve new certificates:
(not the same steps in workflow diagram above)

1. Agent receives email notification of a new request.
2. Agent checks request to see if it "belongs" to her(him), if so, clicks the "assign to me" link. If does not "belong" to him(her), ignore request.
3. Agent will contact a sponsor for this request using telephone or signed email to get confirmation of a valid request.
4. Agent verifies that there is not already a valid certificate with the same Subject name as in the new request. If there is already a valid certificate with the same Subject name as in the new request, contact Doug Olson & ask what to do about it (need better instructions here).
5. If request is determined to be invalid, agent cancels request using "Do it" selector at the bottom of the request display form.
6. If request is confirmed, agent issues certificate using "Do it" button to accept request at the bottom of the request display form.
7. Agent forwards email notice of the original request (or similar info), adding information about who and how request was confirmed, and information about the certificate issued, to ppdg-ralog@ppdg.net. See example in email archive, http://www.ppdg.net/mailman/private/ppdg-ralog/2003/msg00170.html
(password protected with your email & password from subscription to ppdg-ralog email list).

Revoking certificates:

End users can revoke their own certificates using the web interface to DOEGrids, for certificates that are installed in their web browser. In a grid context, however, users often do not have their certificate in the browser and it is necessary for an Agent to revoke them.

When someone requests that a certificate be revoked you are supposed to use an equivalent mechanism to verify their identity as used in granting new certificates.

Certificates have serial numbers and they are revoked based upon the serial number. Note that it is frequently the case that a person will have multiple certificates with the same DN (distinguished name, or subject name) but each certificate has a different serial number. When revoking a certificate it is important to make sure that you revoke the one with the correct serial number.

1. To revoke a certificate, access the agent web interface, https://pki1.doegrids.org:8100/ca/, and click on the "Revoke Certificates" link. If you know the serial number you can enter it directly, or there are various other fields you see where you can enter all or part of the persons name, email address, etc.
2. Click on the "Find" button at the bottom of the page and you will be shown a list of certificates that match the criteria you specified.
3. When you have located the one with the correct serial number, click the "Revoke" button.
4. If you have any information about the date the certificate became invalid or the reason you can enter that on the next page. You should enter something in the comment field about who asked for the certificate to be revoked and why.
5. Click the "Submit" button at the bottom of the page and this certificate will be revoked immediately.
6. It is also helpful if you send an email to ppdg-ralog@ppdg.net saying what certificate you revoked and why. If you have many to revoke you can put that all in the same email message.

Useful tidbits:

Sometimes the ldap directory service is not updated but there is a "Update Directory" link on the agent interface web page. Dhiva recommends
" ALWAYS select the following two options.
- skip certificates already marked as updated
- update everthing in the database to the directory
and then click on 'update directory' button. "