Requesting Personal Certificates

From SURAgrid
(Difference between revisions)
Jump to: navigation, search
(Importing Certificates/Private Keys)
(Add section for secure email communication)
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Personal OSG Certificates  ==
+
== Obtaining and Using Personal Grid Certificates  through OSG ==
 +
 
 +
Now that SURAgrid is a formally supported Virtual Organization within the Open Science Grid, we are able to offer our users the opportunity to obtain and use personal X.509 grid certificates directly if needed. 
 +
 
 +
Note that if your institution is a member of InCommon AND is certified at the InCommon "Silver" member, you can also use the separate CILogon service to obtain a grid credential using your university's single-sign-on system, which might be easier than the process outlined below. 
 +
 
 +
In either case, you will need to follow the instructions to register your grid certificate into the SURAgrid VOMS (virtual ORganization Membership Service) also, as outlined below.
  
 
You are '''<u>STRONGLY</u>''' encouraged to use '''''Firefox for both Windows or Macintosh''''' as your web browser.&nbsp; In order to get your personal OSG certificate, you need to complete the following steps:<br>  
 
You are '''<u>STRONGLY</u>''' encouraged to use '''''Firefox for both Windows or Macintosh''''' as your web browser.&nbsp; In order to get your personal OSG certificate, you need to complete the following steps:<br>  
  
#Point your web browser to the URL [http://software.grid.iu.edu/cert/certreg.php https://software.grid.iu.edu/cert/certreg.php].<br>  
+
#Point your web browser to the URL [http://oim.grid.iu.edu/oim/certificaterequestuser https://oim.grid.iu.edu/oim/certificaterequestuser].<br>  
#Click on the link titled "<font color="green"><u>Install ESnet Root CA in your browser</u></font>".<br>
+
#Enter your contact information in the <font color="green">Contact Information</font> field.  
#Click on the link titled "<font color="green"><u>Install DOEGrids CA in your browser</u></font>".  
+
#Enter your profile information in the <font color="green">Profile Information</font> field.
#Enter your full name in the <font color="green">* Full Name:</font> field.  
+
#Enter a password to be used for issuing your certificate and encrypting your private key. ('''IMPORTANT: If you forget this password, you will not be able to issue your certificate and import it your browser after it is approved.''')
#Enter your phone number in the <font color="green">* Your Phone Number:</font> field.  
+
#Select <font color="green">SURAGrid</font> from the pick list in the <font color="green">Sponsor</font> field.<br>
#Select <font color="green">SURAGrid</font> from the pick list in the <font color="green">* Your Virtual Organization:</font> field.<br>In the '''Sponsor Information (Required)''' section, you must enter information for the sponsor who is your institution's recognized "Certificate Validator". This individual must either know you personally and can recognize your voice over the phone when validating your certificate request, or they must validate you visually (either in person or remotely through a web camera) by comparing your face to a legitimate picture ID. If you do not know your institution's Certificate Validator, please contact Linda Akli [mailto:akli@sura.org akli@sura.org]).  
+
#Specify a person who can verify your identity by phone or in person. This person will call you at the phone number you provide in your contact information, so make sure you are providing accurate information. We are working to get a registration authority (RA) at each campus that is a member of SURAgrid. Please include the name of the person who can verify your identity from the list below.  If you have questions please contact the [mailto:suragrid@uab.edu SURAgrid] list.
#Select <font color="green">Enter Manually...</font> from the pick list in the <font color="green">* Select Sponsor from List:</font> field.  
+
##    James A. Lupo at LSU
#Enter the name of the sponsor in the <font color="green">* Name of Sponsor (P.I., Supervisor):</font> field.
+
##    Alan Sill at TTU
#Enter the sponsor's email address in the <font color="green">* Sponsor's Email:</font> field.
+
##    Alain Deximo at TTU
#Enter the sponsor's phone number in the <font color="green">* Sponsor's Phone Number:</font> field.
+
##    Steve Johnson at TAMU
#Make sure that the <font color="green">Key Length:</font> field is set to <font color="green">High Grade</font>.  
+
##    Amy Wang at TTU
 +
#Check the <font color="green">"I AGREE"</font> box.
 
#Click on the <font color="green">Submit</font> button.
 
#Click on the <font color="green">Submit</font> button.
  
After you have submitted your request for an OSG certificate, your sponsor will receive an email from the OSG Certificate Registration Authority (run by the OSG Grid Operations Center or GOC) asking them to validate your request. Once you have been validated, the sponsor will reply to the email indicating that you are authorized to receive a minted OSG certificate. ('''IMPORTANT NOTE FOR SPONSORS:''' All sponsors must digitally sign the email response to the OSG GOC message using his or her OSG certificate.)  
+
After you have submitted your request for an OSG certificate, your sponsor will receive an email from the OSG Certificate Registration Authority (run by the OSG Grid Operations Center or GOC) asking them to validate your request. After your request is approved, you will receive an email which contains a link to your certificate and private key. You need to download the file that contains your user certificate and key from the link to your local computer.('''IMPORTANT NOTE:''' You must use the '''<u>SAME</u>''' browser on the '''<u>SAME</u>''' computer that you used to request the certificate when you import the certificate and private key.)  
  
When the OSG GOC has received the digially signed email from the sponsor, they will email you a link to import your certificate and private key into your browser. ('''IMPORTANT NOTE:''' You must use the '''<u>SAME</u>''' browser on the '''<u>SAME</u>''' computer that you used to request the certificate when you import the certificate and private key.)
 
  
=== Exporting Certificates/Private Keys ===
+
=== Importing Certificates/Private Key pair to your Web Browser ===
  
 
==== Firefox for Windows  ====
 
==== Firefox for Windows  ====
Line 26: Line 32:
 
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>  
 
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>  
  
#Click on the '''<font color="green"><u>T</u>ools</font>''' option at the top of the browser.  
+
#Click on the <font color="green">Tools</font> option at the top of the browser.  
#Select '''<font color="green"><u>O</u>ptions</font>''' from the list.  
+
#Select <font color="green">Options</font> from the list.  
#Click on the '''<font color="green">Advanced</font>''' tab.  
+
#Click on the <font color="green">Advanced</font> tab.  
#Click on the '''<font color="green">Encryption</font>''' tab.  
+
#Click on the <font color="green">Encryption</font> tab.  
#Click on the '''<font color="green">View Certificate<u>s</u></font>''' button.  
+
#Click on the <font color="green">View Certificates</font> button.  
#Click on the '''<font color="green">Your Certificates</font>''' tab.  
+
#Click on the <font color="green">Your Certificates</font> tab.
#Click on the row with your name on it.
+
#Click on the <font color="green">Import</font> button.
#Click the '''<font color="green">Backup</font>''' button.  
+
#Select the certificate from the directory where you saved it (the download location).
#Select the directory or folder to save the file in the '''''<font color="green">Save in:</font>''''' field.
+
#Click on the <font color="green">Open</font> button.
#Enter a file name ('''<font color="green">file_name</font>''') in the '''''<font color="green"></font>'''<font color="green">File name''':'''</font>''field'''.'''
+
#Make sure the '''''<font color="green">Save as type:</font>'''''<font color="green">'''PKCS12 Files'''</font> option is selected.
+
#Click the '''<font color="green">Save</font>''' button.
+
#You will be prompted to enter a password twice (in the '''''<font color="green">Certificate backup password:</font>''''' and '''''<font color="green">Certificate backup password (again):</font>''''' fields.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp; There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. ('''IMPORTANT NOTE:''' Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)
+
#Click the '''<font color="green">OK</font>''' button.
+
  
The file will be saved as '''<font color="green">file_name.p12</font>'''.  
+
Then you should see a message of "<font color="green">Successfully imported your security certificate and private key</font>".
  
==== Firefox for Macintosh  ====
 
  
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>
+
==== Other Web Browsers  ====
  
#Click on the '''<font color="green">Firefox</font>''' option at the top-left-hand side of the browser.
+
To find the details for importing your user certificate to your web browser, please see the instructions through the following links.
#Select '''<font color="green">Preferences...</font>''' from the list.
+
#Click on the '''<font color="green">Advanced</font>''' tab.
+
#Click on the '''<font color="green">Encryption</font>''' tab.
+
#Click on the '''<font color="green">View Certificates</font>''' button.
+
#Click on the '''<font color="green">Your Certificates</font>''' tab.
+
#Click on the row with your name on it.
+
#Click the '''<font color="green">Backup...</font>''' button.
+
#Select the directory or folder to save the file in the '''''<font color="green">Where:</font>''''' field.
+
#Enter a file name ('''<font color="green">file_name</font>''') in the '''''<font color="green"></font>'''<font color="green">Save as''':'''</font>''field'''.'''
+
#Make sure the '''''<font color="green">Format:</font>''''' <font color="green">'''PKCS12 Files'''</font> option is selected.
+
#Click the '''<font color="green">Save</font>''' button.
+
#You will be prompted to enter a password twice (in the '''''<font color="green">Certificate backup password:</font>''''' and '''''<font color="green">Certificate backup password (again):</font>''''' fields.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp; There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. ('''IMPORTANT NOTE:''' Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)
+
#Click the '''<font color="green">OK</font>''' button.
+
  
The file will be saved as '''<font color="green">file_name.p12</font>'''.  
+
#Importing User Certificate on Firefox [http://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Firefox https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Firefox]
 +
#Importing User Certificate on IE [http://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+IE https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+IE]
 +
#Importing User Certificate on Chrome  [http://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Chrome https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Chrome]
 +
#Importing User Certificate on Safari [http://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Safari https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Safari]
 +
#Importing User Certificate for Command Line Use [http://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+for+Command+Line+Use https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+for+Command+Line+Use]
  
==== Firefox for Linux  ====
 
  
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>
+
=== Exporting Your Certificates/Private Key pair for use by Globus ===
 
+
#Click on the '''<font color="green"><u>E</u>dit</font>''' option at the top-left-hand side of the browser.
+
#Select '''<font color="green">Prefere<u>n</u>ces</font>''' from the list.
+
#Click on the '''<font color="green">Advanced</font>''' tab.
+
#Click on the '''<font color="green">Encryption</font>''' tab.
+
#Click on the '''<font color="green">View Certificates</font>''' button.
+
#Click on the '''<font color="green">Your Certificates</font>''' tab.
+
#Click on the row with your name on it.
+
#Click the '''<font color="green">Backup</font>''' button.
+
#Select the directory or folder to save the file in the '''''<font color="green">Save in <u>f</u>older:</font>''''' field.
+
#Enter a file name ('''<font color="green">file_name.p12</font>''') in the '''''<font color="green"></font>'''<font color="green"><u>N</u>ame''':'''</font>''field'''.'''
+
#Click the '''<font color="green">Save</font>''' button.
+
#You will be prompted to enter a password in the '''''<font color="green">Please enter the master password for the Software Security Device.</font>''''' field.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp;
+
#Click the '''<font color="green">OK</font>''' button.
+
#You will be prompted to enter a password twice (in the '''''<font color="green">Certificate backup password:</font>''''' and '''''<font color="green">Certificate backup password (again):</font>''''' fields.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp; There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. ('''IMPORTANT NOTE:''' Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)
+
#Click the '''<font color="green">OK</font>''' button.
+
 
+
The file will be saved as '''<font color="green">file_name.p12</font>'''.
+
 
+
=== Importing Certificates/Private Keys  ===
+
 
+
in order to use your OSG certificate and private key on grid resources or submit machines, copy your '''file_name.p12''' file to the '''''$HOME/.globus''''' directory [if you don't have a .globus directory, create one: mkdir .globus] on that machine, change its name to '''usercred.p12''' and set its permissions as follows: <br> <br> <tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
  
<tt></tt>
+
in order to use your OSG certificate and private key on grid resources or submit machines, copy your '''file_name.p12''' file to the '''''$HOME/.globus''''' directory [if you don't have a .globus directory, create one: mkdir .globus] on that machine, change its name to '''usercred.p12''' and set its permissions as follows: <br> <tt></tt>  
  
 
<tt>
 
<tt>
Line 125: Line 65:
 
</tt>
 
</tt>
  
<tt></tt>
+
<tt></tt> <br> User commands currently support both '''''p12''''' and '''''pem''''' certificates. There is no need to convert your p12 certificate. However, if you also want to have the certificate in .pem format, then run the following commands. The first one extracts your public key, the second extracts your private key.&nbsp; ('''NOTE:''' You will be prompted for your encryption password when executing these commands.)<br> <tt></tt>  
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<br>
+
 
+
<br>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt> <br> User commands currently support both '''''p12''''' and '''''pem''''' certificates. There is no need to convert your p12 certificate. However, if you also want to have the certificate in .pem format, then run the following commands. The first one extracts your public key, the second extracts your private key.&nbsp; ('''NOTE:''' You will be prompted for your encryption password when executing these commands.)<br> <br> <tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
  
 
<tt>
 
<tt>
Line 192: Line 72:
 
</tt>
 
</tt>
  
<tt></tt>
+
<tt></tt> <br> You must set the protections on your two new '''''.pem''''' files correctly, otherwise '''''voms-proxy-init'''<u></u>'' will not use them.<br> <tt></tt>  
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<br>
+
 
+
<br>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt> <br> You must set the protections on your two new '''''.pem''''' files correctly, otherwise '''''voms-proxy-init'''<u></u>'' will not use them.<br> <br> <tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
  
 
<tt>
 
<tt>
Line 259: Line 79:
 
</tt>
 
</tt>
  
<tt></tt>
+
<br>
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>
+
 
+
<tt></tt>  
+
  
<br>
+
=== Using your certificate for email communication ===
  
<br>
+
At times it may be necessary to send signed or encrypted emails to the OSG GOC or other members of the OSG.  For example, you may want to confirm a colleages request for an OSG certificate which requires you digitally sign your email.  Or, you may need to request support from the GOC and your email includes sensitive data.  This requires you to encrypt your email to avoid intermediate parties from reading sensitive data.
  
<tt></tt>
+
The OSG Wiki has basic information on [https://twiki.grid.iu.edu/bin/view/Documentation/SecureEmail options for secure messaging].  The basic steps include:
 +
# Importing the [http://www.digicert-grid.com/ CA's from DigiCert] into your mail client.  You need the''DigiCert Grid Root CA'' and ''DigiCert Grid CA-1''
 +
# Importing your OSG issued personal certificate
 +
# Associating your certificate with your email account so it can be used to sign or encrypt and email
 +
# Choosing to sign or encrypt your message when it is sent
  
<tt></tt>
+
While setting up an email client to use S/MIME is generally not difficult you may run into non-obvious errors.  This section is a collection of problems and potential solutions.
  
<tt></tt>
+
==== Thunderbird ====
  
<tt></tt>
+
Thunderbird users can follow [http://kb.mozillazine.org/Thunderbird_%3a_FAQs_%3a_Install_an_SMIME_Certificate Installing an S/MIME Certificate].  Be sure to at a miminum select the checkbox to "Trust this certificate to identify email users" when you import the DigiCert CA's.  This is very important to getting Thunderbird to send signed or encrypted messages.  It tends to get glossed over in import instructions. 
  
== Process for Certificate Validation  ==
+
If you feel you have everything set up in Thunderbird but are still seeing a message like:
 +
  Sending of message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings
 +
  for this mail account are valid and trusted
  
Each SURAgrid institution must identify at least one individual who can vaildate OSG certificate requests for people from their institution.&nbsp; These certificate validators (or sponsors) must either be able to recognize the requestor by voice or must have the requestor assert who they are though face-to-face identification.&nbsp; They must also have their OSG private key imported into their email client to digitally sign email messages.&nbsp; ('''NOTE:''' The procedure for importing the private key is dependent on the email client and is out of scope of this documentation.)&nbsp; The process for certificate validation is as follows:
+
This very likely means you have not told Thunderbird to trust DigiCert Grid CA-1 to identify mail users.  You can check your trusts in the Preferences->Advanced->View Certificates->Authorities and select DigiCert Grid CA-1 and then press "Edit Trust...".  Make sure "Trust this certificate to identify email users" is selected.
  
#After a user has requested a certificate (providing the certificate sponsor's name, email address, and phone number during the process), the OSG Grid Operations Center (GOC) will send a signed email to the sponsor asking them to validate the certificate request.
+
After you have made this change, you should be able to send signed and encrypted mail using your OSG certificate.
#The sponsor will establish the identity of the requestor, either through voice recognition or in a face-to-face setting, and ask if that individual requested the OSG certificate.
+
#Assuming the answer is 'yes', the sponsor will reply to the OSG GOC email indicating that the request for an OSG certificate is valid.&nbsp; The sponsor '''<u>MUST</u>''' sign the email using their OSG private key.&nbsp; Otherwise, the OSG GOC will not consider the validating email to be legitimate.
+
#The requestor will receive an email from the OSG&nbsp;GOC indicating that their certificate has been created.&nbsp; The email will contain a Web link to retrieve the OSG certificate and private key, which should be pasted into the location field of either a Firefox for Windows or Safari for Macintosh Web browser.
+

Latest revision as of 14:41, 3 September 2013

Contents

[edit] Obtaining and Using Personal Grid Certificates through OSG

Now that SURAgrid is a formally supported Virtual Organization within the Open Science Grid, we are able to offer our users the opportunity to obtain and use personal X.509 grid certificates directly if needed.

Note that if your institution is a member of InCommon AND is certified at the InCommon "Silver" member, you can also use the separate CILogon service to obtain a grid credential using your university's single-sign-on system, which might be easier than the process outlined below.

In either case, you will need to follow the instructions to register your grid certificate into the SURAgrid VOMS (virtual ORganization Membership Service) also, as outlined below.

You are STRONGLY encouraged to use Firefox for both Windows or Macintosh as your web browser.  In order to get your personal OSG certificate, you need to complete the following steps:

  1. Point your web browser to the URL https://oim.grid.iu.edu/oim/certificaterequestuser.
  2. Enter your contact information in the Contact Information field.
  3. Enter your profile information in the Profile Information field.
  4. Enter a password to be used for issuing your certificate and encrypting your private key. (IMPORTANT: If you forget this password, you will not be able to issue your certificate and import it your browser after it is approved.)
  5. Select SURAGrid from the pick list in the Sponsor field.
  6. Specify a person who can verify your identity by phone or in person. This person will call you at the phone number you provide in your contact information, so make sure you are providing accurate information. We are working to get a registration authority (RA) at each campus that is a member of SURAgrid. Please include the name of the person who can verify your identity from the list below. If you have questions please contact the SURAgrid list.
    1. James A. Lupo at LSU
    2. Alan Sill at TTU
    3. Alain Deximo at TTU
    4. Steve Johnson at TAMU
    5. Amy Wang at TTU
  7. Check the "I AGREE" box.
  8. Click on the Submit button.

After you have submitted your request for an OSG certificate, your sponsor will receive an email from the OSG Certificate Registration Authority (run by the OSG Grid Operations Center or GOC) asking them to validate your request. After your request is approved, you will receive an email which contains a link to your certificate and private key. You need to download the file that contains your user certificate and key from the link to your local computer.(IMPORTANT NOTE: You must use the SAME browser on the SAME computer that you used to request the certificate when you import the certificate and private key.)


[edit] Importing Certificates/Private Key pair to your Web Browser

[edit] Firefox for Windows

It is recommended that you export your OSG certificate and private key as a PKCS#12 file.  To export these items, follow the steps below:

  1. Click on the Tools option at the top of the browser.
  2. Select Options from the list.
  3. Click on the Advanced tab.
  4. Click on the Encryption tab.
  5. Click on the View Certificates button.
  6. Click on the Your Certificates tab.
  7. Click on the Import button.
  8. Select the certificate from the directory where you saved it (the download location).
  9. Click on the Open button.

Then you should see a message of "Successfully imported your security certificate and private key".


[edit] Other Web Browsers

To find the details for importing your user certificate to your web browser, please see the instructions through the following links.

  1. Importing User Certificate on Firefox https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Firefox
  2. Importing User Certificate on IE https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+IE
  3. Importing User Certificate on Chrome https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Chrome
  4. Importing User Certificate on Safari https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Safari
  5. Importing User Certificate for Command Line Use https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+for+Command+Line+Use


[edit] Exporting Your Certificates/Private Key pair for use by Globus

in order to use your OSG certificate and private key on grid resources or submit machines, copy your file_name.p12 file to the $HOME/.globus directory [if you don't have a .globus directory, create one: mkdir .globus] on that machine, change its name to usercred.p12 and set its permissions as follows:

mv $HOME/.globus/file_name.p12 $HOME/.globus/usercred.p12
chmod 400 $HOME/.globus/usercred.p12


User commands currently support both p12 and pem certificates. There is no need to convert your p12 certificate. However, if you also want to have the certificate in .pem format, then run the following commands. The first one extracts your public key, the second extracts your private key.  (NOTE: You will be prompted for your encryption password when executing these commands.)

openssl pkcs12 -in $HOME/.globus/file_name.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in $HOME/.globus/file_name.p12 -nocerts -out $HOME/.globus/userkey.pem


You must set the protections on your two new .pem files correctly, otherwise voms-proxy-init will not use them.

chmod go-rw ~/.globus/userkey.pem
chmod go-w ~/.globus/usercert.pem


[edit] Using your certificate for email communication

At times it may be necessary to send signed or encrypted emails to the OSG GOC or other members of the OSG. For example, you may want to confirm a colleages request for an OSG certificate which requires you digitally sign your email. Or, you may need to request support from the GOC and your email includes sensitive data. This requires you to encrypt your email to avoid intermediate parties from reading sensitive data.

The OSG Wiki has basic information on options for secure messaging. The basic steps include:

  1. Importing the CA's from DigiCert into your mail client. You need theDigiCert Grid Root CA and DigiCert Grid CA-1
  2. Importing your OSG issued personal certificate
  3. Associating your certificate with your email account so it can be used to sign or encrypt and email
  4. Choosing to sign or encrypt your message when it is sent

While setting up an email client to use S/MIME is generally not difficult you may run into non-obvious errors. This section is a collection of problems and potential solutions.

[edit] Thunderbird

Thunderbird users can follow Installing an S/MIME Certificate. Be sure to at a miminum select the checkbox to "Trust this certificate to identify email users" when you import the DigiCert CA's. This is very important to getting Thunderbird to send signed or encrypted messages. It tends to get glossed over in import instructions.

If you feel you have everything set up in Thunderbird but are still seeing a message like:

 Sending of message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings 
 for this mail account are valid and trusted

This very likely means you have not told Thunderbird to trust DigiCert Grid CA-1 to identify mail users. You can check your trusts in the Preferences->Advanced->View Certificates->Authorities and select DigiCert Grid CA-1 and then press "Edit Trust...". Make sure "Trust this certificate to identify email users" is selected.

After you have made this change, you should be able to send signed and encrypted mail using your OSG certificate.

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox