Instructions for getting a personal (grid) certificate. We will focus mainly requesting and using the eScience certificate obtainable via the Digicert portal, but also NorduGrid certificate can be used.
Grids provide computation and data resources to be shared in inter-organizational use. Finnish academic grid users can apply for a grid certificate and access to several grid networks (e.g. FGCI, NorduGrid and PRACE) via CSC. Following these instructions, you should be able to get up and running in less than 30 minutes.
If you have any questions or problems with getting a grid certificate, please contact firstname.lastname@example.org
Your certificate is valid for one year at a time. After one year, preferably in good time before your old certificate expires, you must request for a new certificate. The renewal procedure is exactly the same as requesting for a new certificate.
What is a certificate?
Grid users are identified using X.509 certificates. Certificate requests need to be signed by a Certification Authority (CA) which acts as a trusted third party. CSC is using GÉANT Trusted Certificate Service (TCS) as the authority to provide Finnish academic grid users with personal e-science grid user certificates. The certificates will be requested through the DigiCert SSO portal, which automatically installs in the certificate to users web browser. The certificates are valid for one year at a time.
The user logs on to the DigiCert SSO portal using their HAKA credentials (username and password in most cases). To be able to log in, your Identity Provider ( i.e. home university or institute) must be compatible with eduGAIN service. If the name of your home institute is not recognized by the DigiCert SSO portal (Finnish, Swedish and English institute names should be recognized) that means that your home institute is not compatible with the eduGAIN service.
If your organization is not compatible with eduGAIN, you can still request a personal certificate from Nordugrid: Personal Nordugrid certificate.
Getting a TCS certificate
Please make sure you are NOT using a public computer!
If you use a public computer, your certificate or your grid identity will be stored in the browser of that computer and someone using the same computer later could pose as you. THIS MUST HAPPEN UNDER NO CIRCUMSTANCES!
Step-by-step instructions for getting your own certificate:
- Ensure that you are using your own private computer or laptop!
- Go to the site: https://www.digicert.com/sso
- Enter the name of your home institute and press "Start single sign-on"
- Sign in using your HAKA username and password
- In the "Request Product" page, choose product: Grid Premium, check your information and press "Request Certificate"
Now you have your certificate in the keystore of your browser, signed by DigiCert and ready for use.
Note! In the case of Chrome browsers, you must add a Certificate Request to the CSR field in the steo 5. This request can be created by executing following openssl commands in your local (linux or mac) computer.
openssl genrsa -aes256 -out userkey.pem 2048 openssl req -new -key userkey.pem -subj "/DC=org/DC=terena/DC=tcs/CN=your_own_nane"
In the second command you must replace the your_own_name with the value shown in the Common Name field in the certificate request page (e.g. Kalle Kayttaja email@example.com). When the second openssl-command is executed it prints out the Certificate Request. Copy this text to CSR field and submit the request.
Exporting the certificate from the browser (in *.p12 format)
NB! This is not the same thing as downloading the certificate from the DigiCert page! (That happened in the previous steps.)
To use your certificate on the command line (e.g. to submit grid jobs from the command line), you need to export your certificate. Instructions for doing this for some of the more common browsers below.
- Select Edit -> Preferences
- Go to Advanced -> Encryption -> View Certificates
- Select your certificate and click Backup
- Save the certificate as "usercert.p12". The browser will ask you for your password now, along with an export password. You MUST have a password here, you may not backup the certificate without a password!
- Select Menu -> Settings -> Preferences
- Go to Advanced -> Security -> Manage Certificates
- Select your certificate and click Export
- Choose the "PKCS #12 (with private key)" filetype, and save the certificate as "usercert.p12". The browser will ask you for your password now, along with an export password. You MUST have a password here, you may not export the certificate without a password!
- Select Tools -> Internet Options
- Go to Content -> Certificates
- Select your certificate and click Export
- Choose the format "Personal Information Exchange - PKCS #12". Save the certificate as "usercert.p12".
- Open preferences (Under the Wrench), click "Under the Hood" on the left
- Click the "Manage certificates" button
- Select a certificate to export
- Click "Export" and save the certificate as "usercert.p12".
Converting your certificate to PEM format
You will need to convert the certificate to a format the grid tools understand. The following commands work on Linux machines. If you are using the grid tools from another machine than your browser is on, you can transfer the "usercert.p12" file to that machine, and run these commands there. It's suggested that you use a secure tool like SCP to do this.
1. Create the certificate private key with command:
openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem
This will ask the old and the new key passwords (these can be the same).
2. Create the user certificate with command
openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem
3. You should now have two files, "usercert.pem" and "userkey.pem". Place these files in a ".globus" subdirectory under your home directory.
4. Finally run command:
chmod 400 ~/.globus/userkey.pem
After this you should be able to use your new certificate with command line grid tools.