Requesting Personal Certificates

Latest revision as of 14:41, 3 September 2013

[edit] Obtaining and Using Personal Grid Certificates through OSG

Now that SURAgrid is a formally supported Virtual Organization within the Open Science Grid, we are able to offer our users the opportunity to obtain and use personal X.509 grid certificates directly if needed.

Note that if your institution is a member of InCommon AND is certified at the InCommon "Silver" member, you can also use the separate CILogon service to obtain a grid credential using your university's single-sign-on system, which might be easier than the process outlined below.

In either case, you will need to follow the instructions to register your grid certificate into the SURAgrid VOMS (virtual ORganization Membership Service) also, as outlined below.

You are STRONGLY encouraged to use Firefox for both Windows or Macintosh as your web browser.  In order to get your personal OSG certificate, you need to complete the following steps:

1. Point your web browser to the URL https://oim.grid.iu.edu/oim/certificaterequestuser.
   
2. Enter your contact information in the Contact Information field.
3. Enter your profile information in the Profile Information field.
4. Enter a password to be used for issuing your certificate and encrypting your private key. (IMPORTANT: If you forget this password, you will not be able to issue your certificate and import it your browser after it is approved.)
5. Select SURAGrid from the pick list in the Sponsor field.
   
6. Specify a person who can verify your identity by phone or in person. This person will call you at the phone number you provide in your contact information, so make sure you are providing accurate information. We are working to get a registration authority (RA) at each campus that is a member of SURAgrid. Please include the name of the person who can verify your identity from the list below. If you have questions please contact the SURAgrid list.
   1. James A. Lupo at LSU
   2. Alan Sill at TTU
   3. Alain Deximo at TTU
   4. Steve Johnson at TAMU
   5. Amy Wang at TTU
7. Check the "I AGREE" box.
8. Click on the Submit button.

After you have submitted your request for an OSG certificate, your sponsor will receive an email from the OSG Certificate Registration Authority (run by the OSG Grid Operations Center or GOC) asking them to validate your request. After your request is approved, you will receive an email which contains a link to your certificate and private key. You need to download the file that contains your user certificate and key from the link to your local computer.(IMPORTANT NOTE: You must use the SAME browser on the SAME computer that you used to request the certificate when you import the certificate and private key.)

[edit] Importing Certificates/Private Key pair to your Web Browser

[edit] Firefox for Windows

It is recommended that you export your OSG certificate and private key as a PKCS#12 file.  To export these items, follow the steps below:

1. Click on the Tools option at the top of the browser.
2. Select Options from the list.
3. Click on the Advanced tab.
4. Click on the Encryption tab.
5. Click on the View Certificates button.
6. Click on the Your Certificates tab.
7. Click on the Import button.
8. Select the certificate from the directory where you saved it (the download location).
9. Click on the Open button.

Then you should see a message of "Successfully imported your security certificate and private key".

[edit] Other Web Browsers

To find the details for importing your user certificate to your web browser, please see the instructions through the following links.

1. Importing User Certificate on Firefox https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Firefox
2. Importing User Certificate on IE https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+IE
3. Importing User Certificate on Chrome https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Chrome
4. Importing User Certificate on Safari https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+on+Safari
5. Importing User Certificate for Command Line Use https://confluence.grid.iu.edu/display/CENTRAL/Importing+User+Certificate+for+Command+Line+Use

[edit] Exporting Your Certificates/Private Key pair for use by Globus

in order to use your OSG certificate and private key on grid resources or submit machines, copy your file_name.p12 file to the $HOME/.globus directory [if you don't have a .globus directory, create one: mkdir .globus] on that machine, change its name to usercred.p12 and set its permissions as follows:

mv $HOME/.globus/file_name.p12 $HOME/.globus/usercred.p12
chmod 400 $HOME/.globus/usercred.p12

User commands currently support both p12 and pem certificates. There is no need to convert your p12 certificate. However, if you also want to have the certificate in .pem format, then run the following commands. The first one extracts your public key, the second extracts your private key.  (NOTE: You will be prompted for your encryption password when executing these commands.)

openssl pkcs12 -in $HOME/.globus/file_name.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in $HOME/.globus/file_name.p12 -nocerts -out $HOME/.globus/userkey.pem

You must set the protections on your two new .pem files correctly, otherwise voms-proxy-init will not use them.

chmod go-rw ~/.globus/userkey.pem
chmod go-w ~/.globus/usercert.pem

[edit] Using your certificate for email communication

At times it may be necessary to send signed or encrypted emails to the OSG GOC or other members of the OSG. For example, you may want to confirm a colleages request for an OSG certificate which requires you digitally sign your email. Or, you may need to request support from the GOC and your email includes sensitive data. This requires you to encrypt your email to avoid intermediate parties from reading sensitive data.

The OSG Wiki has basic information on options for secure messaging. The basic steps include:

1. Importing the CA's from DigiCert into your mail client. You need theDigiCert Grid Root CA and DigiCert Grid CA-1
2. Importing your OSG issued personal certificate
3. Associating your certificate with your email account so it can be used to sign or encrypt and email
4. Choosing to sign or encrypt your message when it is sent

While setting up an email client to use S/MIME is generally not difficult you may run into non-obvious errors. This section is a collection of problems and potential solutions.

[edit] Thunderbird

Thunderbird users can follow Installing an S/MIME Certificate. Be sure to at a miminum select the checkbox to "Trust this certificate to identify email users" when you import the DigiCert CA's. This is very important to getting Thunderbird to send signed or encrypted messages. It tends to get glossed over in import instructions.

If you feel you have everything set up in Thunderbird but are still seeing a message like:

 Sending of message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings 
 for this mail account are valid and trusted

This very likely means you have not told Thunderbird to trust DigiCert Grid CA-1 to identify mail users. You can check your trusts in the Preferences->Advanced->View Certificates->Authorities and select DigiCert Grid CA-1 and then press "Edit Trust...". Make sure "Trust this certificate to identify email users" is selected.

After you have made this change, you should be able to send signed and encrypted mail using your OSG certificate.