Requesting Personal Certificates

From SURAgrid
(Difference between revisions)
Jump to: navigation, search
(Remove SSL from cert request URL because it creates a dependency on requireing a client cert to load the page which the user doesn't have yet)
(Change font color for menu items from red to green to avoid color conflict with the "undefined web page" and easier visual consumption)
Line 4: Line 4:
  
 
#Point your web browser to the URL [http://software.grid.iu.edu/cert/certreg.php https://software.grid.iu.edu/cert/certreg.php].<br>  
 
#Point your web browser to the URL [http://software.grid.iu.edu/cert/certreg.php https://software.grid.iu.edu/cert/certreg.php].<br>  
#Click on the link titled "<font color="red"><u>Install ESnet Root CA in your browser</u></font>".<br>  
+
#Click on the link titled "<font color="green"><u>Install ESnet Root CA in your browser</u></font>".<br>  
#Click on the link titled "<font color="red"><u>Install DOEGrids CA in your browser</u></font>".  
+
#Click on the link titled "<font color="green"><u>Install DOEGrids CA in your browser</u></font>".  
#Enter your full name in the <font color="red">* Full Name:</font> field.  
+
#Enter your full name in the <font color="green">* Full Name:</font> field.  
#Enter your phone number in the <font color="red">* Your Phone Number:</font> field.  
+
#Enter your phone number in the <font color="green">* Your Phone Number:</font> field.  
#Select <font color="red">SURAGrid</font> from the pick list in the <font color="red">* Your Virtual Organization:</font> field.<br>In the '''Sponsor Information (Required)''' section, you must enter information for the sponsor who is your institution's recognized "Certificate Validator". This individual must either know you personally and can recognize your voice over the phone when validating your certificate request, or they must validate you visually (either in person or remotely through a web camera) by comparing your face to a legitimate picture ID. If you do not know your institution's Certificate Validator, please contact Linda Akli [mailto:akli@sura.org akli@sura.org]).  
+
#Select <font color="green">SURAGrid</font> from the pick list in the <font color="green">* Your Virtual Organization:</font> field.<br>In the '''Sponsor Information (Required)''' section, you must enter information for the sponsor who is your institution's recognized "Certificate Validator". This individual must either know you personally and can recognize your voice over the phone when validating your certificate request, or they must validate you visually (either in person or remotely through a web camera) by comparing your face to a legitimate picture ID. If you do not know your institution's Certificate Validator, please contact Linda Akli [mailto:akli@sura.org akli@sura.org]).  
#Select <font color="red">Enter Manually...</font> from the pick list in the <font color="red">* Select Sponsor from List:</font> field.  
+
#Select <font color="green">Enter Manually...</font> from the pick list in the <font color="green">* Select Sponsor from List:</font> field.  
#Enter the name of the sponsor in the <font color="red">* Name of Sponsor (P.I., Supervisor):</font> field.  
+
#Enter the name of the sponsor in the <font color="green">* Name of Sponsor (P.I., Supervisor):</font> field.  
#Enter the sponsor's email address in the <font color="red">* Sponsor's Email:</font> field.  
+
#Enter the sponsor's email address in the <font color="green">* Sponsor's Email:</font> field.  
#Enter the sponsor's phone number in the <font color="red">* Sponsor's Phone Number:</font> field.  
+
#Enter the sponsor's phone number in the <font color="green">* Sponsor's Phone Number:</font> field.  
#Make sure that the <font color="red">Key Length:</font> field is set to <font color="red">High Grade</font>.  
+
#Make sure that the <font color="green">Key Length:</font> field is set to <font color="green">High Grade</font>.  
#Click on the <font color="red">Submit</font> button.
+
#Click on the <font color="green">Submit</font> button.
  
 
After you have submitted your request for an OSG certificate, your sponsor will receive an email from the OSG Certificate Registration Authority (run by the OSG Grid Operations Center or GOC) asking them to validate your request. Once you have been validated, the sponsor will reply to the email indicating that you are authorized to receive a minted OSG certificate. ('''IMPORTANT NOTE FOR SPONSORS:''' All sponsors must digitally sign the email response to the OSG GOC message using his or her OSG certificate.)  
 
After you have submitted your request for an OSG certificate, your sponsor will receive an email from the OSG Certificate Registration Authority (run by the OSG Grid Operations Center or GOC) asking them to validate your request. Once you have been validated, the sponsor will reply to the email indicating that you are authorized to receive a minted OSG certificate. ('''IMPORTANT NOTE FOR SPONSORS:''' All sponsors must digitally sign the email response to the OSG GOC message using his or her OSG certificate.)  
Line 26: Line 26:
 
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>  
 
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>  
  
#Click on the '''<font color="red"><u>T</u>ools</font>''' option at the top of the browser.  
+
#Click on the '''<font color="green"><u>T</u>ools</font>''' option at the top of the browser.  
#Select '''<font color="red"><u>O</u>ptions</font>''' from the list.  
+
#Select '''<font color="green"><u>O</u>ptions</font>''' from the list.  
#Click on the '''<font color="red">Advanced</font>''' tab.  
+
#Click on the '''<font color="green">Advanced</font>''' tab.  
#Click on the '''<font color="red">Encryption</font>''' tab.  
+
#Click on the '''<font color="green">Encryption</font>''' tab.  
#Click on the '''<font color="red">View Certificate<u>s</u></font>''' button.  
+
#Click on the '''<font color="green">View Certificate<u>s</u></font>''' button.  
#Click on the '''<font color="red">Your Certificates</font>''' tab.  
+
#Click on the '''<font color="green">Your Certificates</font>''' tab.  
 
#Click on the row with your name on it.  
 
#Click on the row with your name on it.  
#Click the '''<font color="red">Backup</font>''' button.  
+
#Click the '''<font color="green">Backup</font>''' button.  
#Select the directory or folder to save the file in the '''''<font color="red">Save in:</font>''''' field.  
+
#Select the directory or folder to save the file in the '''''<font color="green">Save in:</font>''''' field.  
#Enter a file name ('''<font color="red">file_name</font>''') in the '''''<font color="red"></font>'''<font color="red">File name''':'''</font>''field'''.'''  
+
#Enter a file name ('''<font color="green">file_name</font>''') in the '''''<font color="green"></font>'''<font color="green">File name''':'''</font>''field'''.'''  
#Make sure the '''''<font color="red">Save as type:</font>'''''<font color="red">'''PKCS12 Files'''</font> option is selected.  
+
#Make sure the '''''<font color="green">Save as type:</font>'''''<font color="green">'''PKCS12 Files'''</font> option is selected.  
#Click the '''<font color="red">Save</font>''' button.  
+
#Click the '''<font color="green">Save</font>''' button.  
#You will be prompted to enter a password twice (in the '''''<font color="red">Certificate backup password:</font>''''' and '''''<font color="red">Certificate backup password (again):</font>''''' fields.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp; There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. ('''IMPORTANT NOTE:''' Please save this password in a safe location!!! This encryption password will be required to import your OSG certificate and private key.)  
+
#You will be prompted to enter a password twice (in the '''''<font color="green">Certificate backup password:</font>''''' and '''''<font color="green">Certificate backup password (again):</font>''''' fields.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp; There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. ('''IMPORTANT NOTE:''' Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)  
#Click the '''<font color="red">OK</font>''' button.
+
#Click the '''<font color="green">OK</font>''' button.
  
The file will be saved as '''<font color="red">file_name.p12</font>'''.  
+
The file will be saved as '''<font color="green">file_name.p12</font>'''.  
  
 
==== Firefox for Macintosh  ====
 
==== Firefox for Macintosh  ====
Line 47: Line 47:
 
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>  
 
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>  
  
#Click on the '''<font color="red">Firefox</font>''' option at the top-left-hand side of the browser.  
+
#Click on the '''<font color="green">Firefox</font>''' option at the top-left-hand side of the browser.  
#Select '''<font color="red">Preferences...</font>''' from the list.  
+
#Select '''<font color="green">Preferences...</font>''' from the list.  
#Click on the '''<font color="red">Advanced</font>''' tab.  
+
#Click on the '''<font color="green">Advanced</font>''' tab.  
#Click on the '''<font color="red">Encryption</font>''' tab.  
+
#Click on the '''<font color="green">Encryption</font>''' tab.  
#Click on the '''<font color="red">View Certificates</font>''' button.  
+
#Click on the '''<font color="green">View Certificates</font>''' button.  
#Click on the '''<font color="red">Your Certificates</font>''' tab.  
+
#Click on the '''<font color="green">Your Certificates</font>''' tab.  
 
#Click on the row with your name on it.  
 
#Click on the row with your name on it.  
#Click the '''<font color="red">Backup...</font>''' button.  
+
#Click the '''<font color="green">Backup...</font>''' button.  
#Select the directory or folder to save the file in the '''''<font color="red">Where:</font>''''' field.  
+
#Select the directory or folder to save the file in the '''''<font color="green">Where:</font>''''' field.  
#Enter a file name ('''<font color="red">file_name</font>''') in the '''''<font color="red"></font>'''<font color="red">Save as''':'''</font>''field'''.'''  
+
#Enter a file name ('''<font color="green">file_name</font>''') in the '''''<font color="green"></font>'''<font color="green">Save as''':'''</font>''field'''.'''  
#Make sure the '''''<font color="red">Format:</font>''''' <font color="red">'''PKCS12 Files'''</font> option is selected.  
+
#Make sure the '''''<font color="green">Format:</font>''''' <font color="green">'''PKCS12 Files'''</font> option is selected.  
#Click the '''<font color="red">Save</font>''' button.  
+
#Click the '''<font color="green">Save</font>''' button.  
#You will be prompted to enter a password twice (in the '''''<font color="red">Certificate backup password:</font>''''' and '''''<font color="red">Certificate backup password (again):</font>''''' fields.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp; There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. ('''IMPORTANT NOTE:''' Please save this password in a safe location!!! This encryption password will be required to import your OSG certificate and private key.)  
+
#You will be prompted to enter a password twice (in the '''''<font color="green">Certificate backup password:</font>''''' and '''''<font color="green">Certificate backup password (again):</font>''''' fields.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp; There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. ('''IMPORTANT NOTE:''' Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)  
#Click the '''<font color="red">OK</font>''' button.
+
#Click the '''<font color="green">OK</font>''' button.
  
The file will be saved as '''<font color="red">file_name.p12</font>'''.  
+
The file will be saved as '''<font color="green">file_name.p12</font>'''.  
  
 
==== Firefox for Linux  ====
 
==== Firefox for Linux  ====
Line 68: Line 68:
 
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>  
 
It is recommended that you export your OSG certificate and private key as a PKCS#12 file.&nbsp; To export these items, follow the steps below:<br>  
  
#Click on the '''<font color="red"><u>E</u>dit</font>''' option at the top-left-hand side of the browser.  
+
#Click on the '''<font color="green"><u>E</u>dit</font>''' option at the top-left-hand side of the browser.  
#Select '''<font color="red">Prefere<u>n</u>ces</font>''' from the list.  
+
#Select '''<font color="green">Prefere<u>n</u>ces</font>''' from the list.  
#Click on the '''<font color="red">Advanced</font>''' tab.  
+
#Click on the '''<font color="green">Advanced</font>''' tab.  
#Click on the '''<font color="red">Encryption</font>''' tab.  
+
#Click on the '''<font color="green">Encryption</font>''' tab.  
#Click on the '''<font color="red">View Certificates</font>''' button.  
+
#Click on the '''<font color="green">View Certificates</font>''' button.  
#Click on the '''<font color="red">Your Certificates</font>''' tab.  
+
#Click on the '''<font color="green">Your Certificates</font>''' tab.  
 
#Click on the row with your name on it.  
 
#Click on the row with your name on it.  
#Click the '''<font color="red">Backup</font>''' button.  
+
#Click the '''<font color="green">Backup</font>''' button.  
#Select the directory or folder to save the file in the '''''<font color="red">Save in <u>f</u>older:</font>''''' field.  
+
#Select the directory or folder to save the file in the '''''<font color="green">Save in <u>f</u>older:</font>''''' field.  
#Enter a file name ('''<font color="red">file_name.p12</font>''') in the '''''<font color="red"></font>'''<font color="red"><u>N</u>ame''':'''</font>''field'''.'''  
+
#Enter a file name ('''<font color="green">file_name.p12</font>''') in the '''''<font color="green"></font>'''<font color="green"><u>N</u>ame''':'''</font>''field'''.'''  
#Click the '''<font color="red">Save</font>''' button.  
+
#Click the '''<font color="green">Save</font>''' button.  
#You will be prompted to enter a password in the '''''<font color="red">Please enter the master password for the Software Security Device.</font>''''' field.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp;  
+
#You will be prompted to enter a password in the '''''<font color="green">Please enter the master password for the Software Security Device.</font>''''' field.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp;  
#Click the '''<font color="red">OK</font>''' button.  
+
#Click the '''<font color="green">OK</font>''' button.  
#You will be prompted to enter a password twice (in the '''''<font color="red">Certificate backup password:</font>''''' and '''''<font color="red">Certificate backup password (again):</font>''''' fields.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp; There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. ('''IMPORTANT NOTE:''' Please save this password in a safe location!!! This encryption password will be required to import your OSG certificate and private key.)  
+
#You will be prompted to enter a password twice (in the '''''<font color="green">Certificate backup password:</font>''''' and '''''<font color="green">Certificate backup password (again):</font>''''' fields.&nbsp; Be sure to use upper- and lowercase characters, special characters and numbers.&nbsp; There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. ('''IMPORTANT NOTE:''' Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)  
#Click the '''<font color="red">OK</font>''' button.
+
#Click the '''<font color="green">OK</font>''' button.
  
The file will be saved as '''<font color="red">file_name.p12</font>'''.  
+
The file will be saved as '''<font color="green">file_name.p12</font>'''.  
  
 
=== Importing Certificates/Private Keys  ===
 
=== Importing Certificates/Private Keys  ===
  
 
in order to use your OSG certificate and private key on grid resources or submit machines, copy your '''file_name.p12''' file to the '''''$HOME/.globus''''' directory [if you don't have a .globus directory, create one: mkdir .globus] on that machine and change its permission as follows: <br> <br> <tt></tt>  
 
in order to use your OSG certificate and private key on grid resources or submit machines, copy your '''file_name.p12''' file to the '''''$HOME/.globus''''' directory [if you don't have a .globus directory, create one: mkdir .globus] on that machine and change its permission as follows: <br> <br> <tt></tt>  
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
  
 
<tt></tt>  
 
<tt></tt>  
Line 105: Line 123:
 
  chmod 400 $HOME/.globus/file_name.p12
 
  chmod 400 $HOME/.globus/file_name.p12
 
</tt>
 
</tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
  
 
<tt></tt>  
 
<tt></tt>  
Line 119: Line 155:
  
 
<tt></tt> <br> User commands currently support both '''''p12''''' and '''''pem''''' certificates. There is no need to convert your p12 certificate. However, if you also want to have the certificate in .pem format, then run the following commands. The first one extracts your public key, the second extracts your private key.&nbsp; ('''NOTE:''' You will be prompted for your encryption password when executing these commands.)<br> <br> <tt></tt>  
 
<tt></tt> <br> User commands currently support both '''''p12''''' and '''''pem''''' certificates. There is no need to convert your p12 certificate. However, if you also want to have the certificate in .pem format, then run the following commands. The first one extracts your public key, the second extracts your private key.&nbsp; ('''NOTE:''' You will be prompted for your encryption password when executing these commands.)<br> <br> <tt></tt>  
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
  
 
<tt></tt>  
 
<tt></tt>  
Line 136: Line 190:
 
  openssl pkcs12 -in $HOME/.globus/file_name.p12 -nocerts -out $HOME/.globus/userkey.pem
 
  openssl pkcs12 -in $HOME/.globus/file_name.p12 -nocerts -out $HOME/.globus/userkey.pem
 
</tt>
 
</tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
  
 
<tt></tt>  
 
<tt></tt>  
Line 150: Line 222:
  
 
<tt></tt> <br> You must set the protections on your two new '''''.pem''''' files correctly, otherwise '''''grid-proxy-init'''<u></u>'' will not use them.<br> <br> <tt></tt>  
 
<tt></tt> <br> You must set the protections on your two new '''''.pem''''' files correctly, otherwise '''''grid-proxy-init'''<u></u>'' will not use them.<br> <br> <tt></tt>  
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
  
 
<tt></tt>  
 
<tt></tt>  
Line 167: Line 257:
 
  chmod go-w ~/.globus/usercert.pem
 
  chmod go-w ~/.globus/usercert.pem
 
</tt>
 
</tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
 +
 +
<tt></tt>
  
 
<tt></tt>  
 
<tt></tt>  
Line 180: Line 288:
 
<tt></tt>  
 
<tt></tt>  
  
<tt></tt>
+
<tt></tt>  
  
 
== Process for Certificate Validation  ==
 
== Process for Certificate Validation  ==

Revision as of 10:40, 25 April 2012

Contents

Personal OSG Certificates

You are STRONGLY encouraged to use Firefox for both Windows or Macintosh as your web browser.  In order to get your personal OSG certificate, you need to complete the following steps:

  1. Point your web browser to the URL https://software.grid.iu.edu/cert/certreg.php.
  2. Click on the link titled "Install ESnet Root CA in your browser".
  3. Click on the link titled "Install DOEGrids CA in your browser".
  4. Enter your full name in the * Full Name: field.
  5. Enter your phone number in the * Your Phone Number: field.
  6. Select SURAGrid from the pick list in the * Your Virtual Organization: field.
    In the Sponsor Information (Required) section, you must enter information for the sponsor who is your institution's recognized "Certificate Validator". This individual must either know you personally and can recognize your voice over the phone when validating your certificate request, or they must validate you visually (either in person or remotely through a web camera) by comparing your face to a legitimate picture ID. If you do not know your institution's Certificate Validator, please contact Linda Akli akli@sura.org).
  7. Select Enter Manually... from the pick list in the * Select Sponsor from List: field.
  8. Enter the name of the sponsor in the * Name of Sponsor (P.I., Supervisor): field.
  9. Enter the sponsor's email address in the * Sponsor's Email: field.
  10. Enter the sponsor's phone number in the * Sponsor's Phone Number: field.
  11. Make sure that the Key Length: field is set to High Grade.
  12. Click on the Submit button.

After you have submitted your request for an OSG certificate, your sponsor will receive an email from the OSG Certificate Registration Authority (run by the OSG Grid Operations Center or GOC) asking them to validate your request. Once you have been validated, the sponsor will reply to the email indicating that you are authorized to receive a minted OSG certificate. (IMPORTANT NOTE FOR SPONSORS: All sponsors must digitally sign the email response to the OSG GOC message using his or her OSG certificate.)

When the OSG GOC has received the digially signed email from the sponsor, they will email you a link to import your certificate and private key into your browser. (IMPORTANT NOTE: You must use the SAME browser on the SAME computer that you used to request the certificate when you import the certificate and private key.)

Exporting Certificates/Private Keys

Firefox for Windows

It is recommended that you export your OSG certificate and private key as a PKCS#12 file.  To export these items, follow the steps below:

  1. Click on the Tools option at the top of the browser.
  2. Select Options from the list.
  3. Click on the Advanced tab.
  4. Click on the Encryption tab.
  5. Click on the View Certificates button.
  6. Click on the Your Certificates tab.
  7. Click on the row with your name on it.
  8. Click the Backup button.
  9. Select the directory or folder to save the file in the Save in: field.
  10. Enter a file name (file_name) in the File name:field.
  11. Make sure the Save as type:PKCS12 Files option is selected.
  12. Click the Save button.
  13. You will be prompted to enter a password twice (in the Certificate backup password: and Certificate backup password (again): fields.  Be sure to use upper- and lowercase characters, special characters and numbers.  There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. (IMPORTANT NOTE: Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)
  14. Click the OK button.

The file will be saved as file_name.p12.

Firefox for Macintosh

It is recommended that you export your OSG certificate and private key as a PKCS#12 file.  To export these items, follow the steps below:

  1. Click on the Firefox option at the top-left-hand side of the browser.
  2. Select Preferences... from the list.
  3. Click on the Advanced tab.
  4. Click on the Encryption tab.
  5. Click on the View Certificates button.
  6. Click on the Your Certificates tab.
  7. Click on the row with your name on it.
  8. Click the Backup... button.
  9. Select the directory or folder to save the file in the Where: field.
  10. Enter a file name (file_name) in the Save as:field.
  11. Make sure the Format: PKCS12 Files option is selected.
  12. Click the Save button.
  13. You will be prompted to enter a password twice (in the Certificate backup password: and Certificate backup password (again): fields.  Be sure to use upper- and lowercase characters, special characters and numbers.  There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. (IMPORTANT NOTE: Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)
  14. Click the OK button.

The file will be saved as file_name.p12.

Firefox for Linux

It is recommended that you export your OSG certificate and private key as a PKCS#12 file.  To export these items, follow the steps below:

  1. Click on the Edit option at the top-left-hand side of the browser.
  2. Select Preferences from the list.
  3. Click on the Advanced tab.
  4. Click on the Encryption tab.
  5. Click on the View Certificates button.
  6. Click on the Your Certificates tab.
  7. Click on the row with your name on it.
  8. Click the Backup button.
  9. Select the directory or folder to save the file in the Save in folder: field.
  10. Enter a file name (file_name.p12) in the Name:field.
  11. Click the Save button.
  12. You will be prompted to enter a password in the Please enter the master password for the Software Security Device. field.  Be sure to use upper- and lowercase characters, special characters and numbers. 
  13. Click the OK button.
  14. You will be prompted to enter a password twice (in the Certificate backup password: and Certificate backup password (again): fields.  Be sure to use upper- and lowercase characters, special characters and numbers.  There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. (IMPORTANT NOTE: Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)
  15. Click the OK button.

The file will be saved as file_name.p12.

Importing Certificates/Private Keys

in order to use your OSG certificate and private key on grid resources or submit machines, copy your file_name.p12 file to the $HOME/.globus directory [if you don't have a .globus directory, create one: mkdir .globus] on that machine and change its permission as follows:

chmod 400 $HOME/.globus/file_name.p12




User commands currently support both p12 and pem certificates. There is no need to convert your p12 certificate. However, if you also want to have the certificate in .pem format, then run the following commands. The first one extracts your public key, the second extracts your private key.  (NOTE: You will be prompted for your encryption password when executing these commands.)

openssl pkcs12 -in $HOME/.globus/file_name.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in $HOME/.globus/file_name.p12 -nocerts -out $HOME/.globus/userkey.pem




You must set the protections on your two new .pem files correctly, otherwise grid-proxy-init will not use them.

chmod go-rw ~/.globus/userkey.pem
chmod go-w ~/.globus/usercert.pem



Process for Certificate Validation

Each SURAgrid institution must identify at least one individual who can vaildate OSG certificate requests for people from their institution.  These certificate validators (or sponsors) must either be able to recognize the requestor by voice or must have the requestor assert who they are though face-to-face identification.  They must also have their OSG private key imported into their email client to digitally sign email messages.  (NOTE: The procedure for importing the private key is dependent on the email client and is out of scope of this documentation.)  The process for certificate validation is as follows:

  1. After a user has requested a certificate (providing the certificate sponsor's name, email address, and phone number during the process), the OSG Grid Operations Center (GOC) will send a signed email to the sponsor asking them to validate the certificate request.
  2. The sponsor will establish the identity of the requestor, either through voice recognition or in a face-to-face setting, and ask if that individual requested the OSG certificate.
  3. Assuming the answer is 'yes', the sponsor will reply to the OSG GOC email indicating that the request for an OSG certificate is valid.  The sponsor MUST sign the email using their OSG private key.  Otherwise, the OSG GOC will not consider the validating email to be legitimate.
  4. The requestor will receive an email from the OSG GOC indicating that their certificate has been created.  The email will contain a Web link to retrieve the OSG certificate and private key, which should be pasted into the location field of either a Firefox for Windows or Safari for Macintosh Web browser.
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox