Grid Certificates

Instructions for getting a personal (grid) certificate. We will focus on requesting and using the eScience certificate obtainable via the Sectigo portal.

Grids provide computation and data resources to be shared in inter-organizational use. Finnish academic grid users can apply for a grid certificate and access to several grid networks (e.g.  PRACE) via CSC. Following these instructions, you should be able to get up and running in less than 30 minutes.

If you have any questions or problems with getting a grid certificate, please contact

Certificate renewal

Your certificate is valid for one year at a time. After one year, preferably in good time before your old certificate expires, you must request for a new certificate. The renewal procedure is exactly the same as requesting for a new certificate.

What is a certificate?

Grid users are identified using X.509 certificates. Certificate requests need to be signed by a Certification Authority (CA) which acts as a trusted third party.  CSC is using GÉANT Trusted Certificate Service (TCS) as the authority  to provide Finnish academic grid users with personal e-science grid user certificates. The certificates will be requested through the Sectigo Certificate Manager , that generates and downloads the certificate to your local computer. The certificates are valid for one year at a time.

The user logs on to the Sectigo Certificate Manager using their HAKA credentials (username and password in most cases). To be able to log in, your Identity Provider (i.e. home university or institute) must be compatible with eduGAIN service. If the name of your home institute is not recognized by the Sectigo portal (English institute names are recognized) that means that your home institute is not compatible with the eduGAIN service.

Getting a TCS certificate

Very important

Please make sure you are NOT using a public computer!

If you use a public computer, your certificate or your grid identity will be downloaded to that computer and someone using the same computer later could pose as you. THIS MUST HAPPEN UNDER NO CIRCUMSTANCES!

Step-by-step instructions for getting your own certificate:

  1. Ensure that you are using your own private computer or laptop!
  2. Go to the Sectigo Certificate Manager
  3. Enter the name of your home institute (English institute names are recognized) and select it from the list below the text field.

  4. Login using your HAKA username and password. HAKA account is created by your home organization, not by CSC. Typically this is the user account you use to log in to local university network.

    If you get error message saying You are not allowed to self enroll, then your home organization is not yet compatible with the Sectigo Certificate Manager and you should contact local network administrators to fix this issue.

  5. In the Digital certificate enrollment page, check that your personal information is correct. In the Certificate Profile selection, choose: GÉANT IGTF-MICS Personal and Key generation option for the Private Key selection.

  6. Keytype should be added and should be RSA4096

  7. Finally define and verify a password for your certificate and press Submit button.

The PKCS12 formatted certificate is now exported to the download folder of your browser. Default name for the certificate is certs.p12.

Converting your certificate to PEM format

Browsers are normally able to use PKCS12 certificates, but the grid tools like ARC middleware
uses PEM as the default certificate format. The following commands convert the certs.p12 certificate to PEM format on Linux machines. If you are using the grid tools from another machine than your browser is on, you can transfer the  certs.p12 file to that machine, and run these commands there. It's suggested that you use a secure tool like SCP to do this.

1. Create the certificate private key with command:

openssl pkcs12 -nocerts -in certs.p12 -out userkey.pem

This will ask the old and the new key passwords (these can be the same).

2. Create the user certificate with command

openssl pkcs12 -clcerts -nokeys -in certs.p12 -out usercert.pem

3. You should now have two files, "usercert.pem" and "userkey.pem". Place these files in a ".globus" subdirectory under your home directory.

4. Finally run command:

chmod 400 ~/.globus/userkey.pem

After this you should be able to use your new certificate with command line grid tools.