PK-Grid Certification Authority
For becoming fully operational, a Grid Node is also required to be a Certification Authority (CA) which issues digital certificates to users/
hosts to use grid resources under secure environment.
PK-Grid-CA is a Certification Authority managed by NCP which provides X.509 certificates to support the secure environment in grid computing.
It issues User and Host Certificates to people and sites participating in grid computing in collaboration/partnership with NCP.
PK-Grid-CA Certification Authority is working under European Grid Policy Management Authority (EU-GRID-PMA). The effort in this regard started in
October 2003. NCP produced the first Certificate Policy and Certification Practice Statement (CP-CPS) document in December 2003 reviewed by several
members of EU-GRID-PMA. After several revisions and useful comments and suggestion by the PMA members the final version of the CP-CPS document was
published in April 2004.
The details about the current and all previous versions of the PK-Grid-CA CP-CPS documents produced/published by NCP can be found at:
The NCP Certification Authority PK-GRID-CA was officially presented in the 2nd meeting of the EU-Grid-PMA held in Brussels, BELGIUM during September
23-24, 2004. Mr. Usman Ahmad Malik from NCP presented the CA and it was formally approved and accredited by the EU-Grid-PMA as a Certification
Authority. The details of the meeting can be found at:
PK-Grid-CA had started operations since then. This was the first and only Certification Authority in Pakistan at that time.
Certification Authority Events/Timeline
- 5th EU-Grid-PMA meeting hosted in Poznan, Poland in May, 2005 was attended by Mr. Sajjad Asghar, the PK-Grid-CA Manager
- 8th EU-Grid-PMA meeting held in Karlsruhe, Germany in October, 2006 was attended by Mr. Usman Ahmad Malik, the PK-Grid-CA Manager
- The old root key for PK-Grid-CA was expiring on December 9, 2008. Hence no certificate could be signed with it after December 8, 2007 (considering
the key changeover policy as described under section 5.6 of the updated CP-CPS). Hence, a new key pair valid till December 2017 comprising of 4096 bits
has been generated, the public key was sent to the PMA, and hence distributed via the IGTF-release (International Grid Trust Federation). Since then,
all subsequent certificate requests are being signed by the new root key.
- In December 2007, the PK-Grid-CA team drafted the new CP-CPS (18.104.22.168) based
on the structure suggested by RFC – 3647. After the approval of the NCP management the new CP-CPS was sent to the EU-Grid-PMA mailing list
for approval which was subsequently approved by the PMA in its meeting held in 12th EU-Grid-PMA meeting held in Amsterdam, Holland in January 2008.
- Mr. Usman Ahmad Malik of PK-Grid-CA team attended the 13th EU-Grid-PMA meeting in May 2008 in Copenhagen, Denmark . There, GPG keys were exchanged with the
EU-Grid-PMA chair, Dr. David. L. Groep, who acts as a trust introducer. Later on, the signed root keys were sent to TERENA Academic CA Repository
(TACAR), a trusted repository which contains verified root-CA certificates, which then placed both root keys of PK-Grid-CA into TACAR repository
after completing some formal procedures.
- The first ever self-audit for PK-Grid-CA has been conducted to check compliance of CA operations with the CP-CPS. The audit was conducted according to the
"Audit Guidelines Document version "1.0-B5 provided by the AP-Grid-PMA.
- In January 2009, Mr. Sajjad Asghar, one of the managers of PK-GRID-CA team attended the 15th EU-Grid-PMA meeting in Nicosia, Cyprus. There, he presented the first
self-audit report of PK-GRID-CA. He was also nominated as a member of IGTF-RAT (Risk Assessment Team) in the same meeting.
- Based upon the feedback of the audit report presented in Cyprus, the CP-CPS has been modified to version
- The new CP-CPS (22.214.171.124) has been sent to and then finally approved by EU-Grid-PMA.
- The subsequent self-audit was performed in 2010 according to decision made in an internal meeting of PK-Grid-CA which states that self audits will be conducted
at least for once every two years. The audit was conducted according to "Guidelines for auditing Grid CAs version 1.0 document". Findings were updated in
the form of CP-CPS (126.96.36.199) and sent for review.
- The new CP-CPS (188.8.131.52) has been published after accreditation by EU-GRID-PMA in
- Next self-audit was performed according to "Guidelines for auditing Grid CAs version 1.1 document" and presented in the 26th EU-Grid-PMA meeting
held in Lyon, France in September 2012.
- The feedback on that self-audit plus our own corrections were incorporated as CP-CPS (184.108.40.206)
and eventually published in May 2013 after the formal approval from EU-Grid-PMA as usual.
- Next subsequent self-audit was performed according to "Guidelines for auditing Grid CAs version 1.1, authors: Y Tanaka, M Viljoeu, S Rea dated October 28, 2010",
“GFD 125” and “RFC 5280” and presented in the 33rd EU-Grid-PMA meeting held in Berlin, Germany in January 2015.
- The feedback on that self-audit plus our own corrections were incorporated as CP-CPS (220.127.116.11)
and eventually published in January 2016 after the formal approval from EU-Grid-PMA and Peer Review Committee as usual.
- In December 2017, we extended the life time of our existing root key to year 2027.
- Based on this change we required to update our CP/CPS accordingly.
So far 561 digital certificates have been issued to NCP, PAEC-I, PAEC-III, COMSATS and NUST, which include user and host certificates, the details are
| User Certificates Issued
|Host Certificates Issued
|Current Active User Certificate
|Current Active Host Certificate
|Current Active Certificates
Updated on 28-03-2018
An online portal is available for certificate request where you can request for user and host certificates. You can request online for a digital
For User Certificate
For Host Certificate http://www.ncp.edu.pk/pk-grid-ca/hostinstructions.php
A list of revoked certificates is maintained on regular basis for the relying parties so that they can check the validity of the certificate they are
going to trust. This CRL contains the serial numbers of all the certificates that should no longer be trusted. CRL is issued every twenty three days
or right after a certificate revocation.
The latest copy of the PK-GRID-CA CRL can be fetched from: