Before you can delegate certificates using the OAuth 1.0a for MyProxy service, you must register your OAuth for MyProxy client. This requires that you generate a public and private key. You will supply the registration page (normally located at https://whatever.the.server/oauth/register) with your public key and other information.
There are several ways to do this, but the easiest is with open ssl. You would issue:
openssl genrsa -out oauth-privkey.pem 2048 chmod 0600 oauth-privkey.pem openssl rsa -in oauth-privkey.pem -pubout -out oauth-pubkey.pem
You now have a private and public key pair, which are PEM format. (Privacy Enhanced Mail format is just a pair of headers slapped around a base 64 representation of binary data and is the basic format for all of the keys in this discussion. What goes between the headers inside the PEM format is very different though.) Using your private key with Java require a little more work, since the generated RSA private key is not in a format Java understands. OpenSSL’s default is called PKCS #1, which looks like
-----BEGIN RSA PRIVATE KEY----- stuff... -----END RSA PRIVATE KEY-----
The newer format for this (which is natively supported by Java) is PKCS #8 format. OpenSSL has a utility for conversion and here is how to use it:
openssl pkcs8 -topk8 -in oauth-privkey.pem -nocrypt -out oauth-privkey.pk8
The resulting file looks like
-----BEGIN PRIVATE KEY----- other stuff... -----END PRIVATE KEY-----
You should set the group to be "tomcat" and set it to be only owner (root) and group readable:
chmod 0640 oauth-privkey.pk8
The public key is in the X509 public key standard and looks like
-----BEGIN PUBLIC KEY----- more stuff.... -----END PUBLIC KEY-----
The default registration form looks like this:
The various fields are as follows:
The Client API will require your private key. The OA4MP server will require your public one. The Client API only needs the native Java object
java.security.PrivateKey
There is a utility called edu.uiuc.ncsa.csd.security.KeyUtil which will read in various formats. Generally the format is to|from PKCS 8 PEM, so to read in a PKCS 8 PEM format key from a file you’d issue
FileReader fr = new FileReader(“/path/to/oauth-privkey.pk8”);
PrivateKey pkey = KeyUtil.fromPKCS8PEM(fr);
Remember that this utility does not convert between formats generally (so, e.g., reading in a PKCS 1 format file using fromPKCS8PEM will fail). You must use OpenSSL’s utility to do that.