Requesting Personal Certificates

From SURAgrid
Revision as of 17:07, 8 February 2013 by Asill@ttu.edu (Talk | contribs)

Jump to: navigation, search

Contents

Obtaining and Using Personal Grid Certificates through OSG

Now that SURAgrid is a formally supported Virtual Organization within the Open Science Grid, we are able to offer our users the opportunity to obtain and use personal X.509 grid certificates directly if needed.

Note that if your institution is a member of InCommon AND is certified at the InCommon "Silver" member, you can also use the separate CILogon service to obtain a grid credential using your university's single-sign-on system, which might be easier than the process outlined below.

In either case, you will need to follow the instructions to register your grid certificate into the SURAgrid VOMS (virtual ORganization Membership Service) also, as outlined below.

You are STRONGLY encouraged to use Firefox for both Windows or Macintosh as your web browser.  In order to get your personal OSG certificate, you need to complete the following steps:

  1. Point your web browser to the URL https://software.grid.iu.edu/cert/certreg.php.
  2. Click on the link titled "Install ESnet Root CA in your browser".
  3. Click on the link titled "Install DOEGrids CA in your browser".
  4. Enter your full name in the * Full Name: field.
  5. Enter your phone number in the * Your Phone Number: field.
  6. Select SURAGrid from the pick list in the * Your Virtual Organization: field.
    In the Sponsor Information (Required) section, you must enter information for the sponsor who is your institution's recognized "Certificate Validator". This individual must either know you personally and can recognize your voice over the phone when validating your certificate request, or they must validate you visually (either in person or remotely through a web camera) by comparing your face to a legitimate picture ID. If you do not know your institution's Certificate Validator, please contact Linda Akli akli@sura.org).
  7. Select Enter Manually... from the pick list in the * Select Sponsor from List: field.
  8. Enter the name of the sponsor in the * Name of Sponsor (P.I., Supervisor): field.
  9. Enter the sponsor's email address in the * Sponsor's Email: field.
  10. Enter the sponsor's phone number in the * Sponsor's Phone Number: field.
  11. Make sure that the Key Length: field is set to High Grade.
  12. Click on the Submit button.

After you have submitted your request for an OSG certificate, your sponsor will receive an email from the OSG Certificate Registration Authority (run by the OSG Grid Operations Center or GOC) asking them to validate your request. Once you have been validated, the sponsor will reply to the email indicating that you are authorized to receive a minted OSG certificate. (IMPORTANT NOTE FOR SPONSORS: All sponsors must digitally sign the email response to the OSG GOC message using his or her OSG certificate.)

When the OSG GOC has received the digially signed email from the sponsor, they will email you a link to import your certificate and private key into your browser. (IMPORTANT NOTE: You must use the SAME browser on the SAME computer that you used to request the certificate when you import the certificate and private key.)

Exporting Certificates/Private Keys

Firefox for Windows

It is recommended that you export your OSG certificate and private key as a PKCS#12 file.  To export these items, follow the steps below:

  1. Click on the Tools option at the top of the browser.
  2. Select Options from the list.
  3. Click on the Advanced tab.
  4. Click on the Encryption tab.
  5. Click on the View Certificates button.
  6. Click on the Your Certificates tab.
  7. Click on the row with your name on it.
  8. Click the Backup button.
  9. Select the directory or folder to save the file in the Save in: field.
  10. Enter a file name (file_name) in the File name:field.
  11. Make sure the Save as type:PKCS12 Files option is selected.
  12. Click the Save button.
  13. You will be prompted to enter a password twice (in the Certificate backup password: and Certificate backup password (again): fields.  Be sure to use upper- and lowercase characters, special characters and numbers.  There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. (IMPORTANT NOTE: Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)
  14. Click the OK button.

The file will be saved as file_name.p12.

Firefox for Macintosh

It is recommended that you export your OSG certificate and private key as a PKCS#12 file.  To export these items, follow the steps below:

  1. Click on the Firefox option at the top-left-hand side of the browser.
  2. Select Preferences... from the list.
  3. Click on the Advanced tab.
  4. Click on the Encryption tab.
  5. Click on the View Certificates button.
  6. Click on the Your Certificates tab.
  7. Click on the row with your name on it.
  8. Click the Backup... button.
  9. Select the directory or folder to save the file in the Where: field.
  10. Enter a file name (file_name) in the Save as:field.
  11. Make sure the Format: PKCS12 Files option is selected.
  12. Click the Save button.
  13. You will be prompted to enter a password twice (in the Certificate backup password: and Certificate backup password (again): fields.  Be sure to use upper- and lowercase characters, special characters and numbers.  There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. (IMPORTANT NOTE: Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)
  14. Click the OK button.

The file will be saved as file_name.p12.

Firefox for Linux

It is recommended that you export your OSG certificate and private key as a PKCS#12 file.  To export these items, follow the steps below:

  1. Click on the Edit option at the top-left-hand side of the browser.
  2. Select Preferences from the list.
  3. Click on the Advanced tab.
  4. Click on the Encryption tab.
  5. Click on the View Certificates button.
  6. Click on the Your Certificates tab.
  7. Click on the row with your name on it.
  8. Click the Backup button.
  9. Select the directory or folder to save the file in the Save in folder: field.
  10. Enter a file name (file_name.p12) in the Name:field.
  11. Click the Save button.
  12. You will be prompted to enter a password in the Please enter the master password for the Software Security Device. field.  Be sure to use upper- and lowercase characters, special characters and numbers. 
  13. Click the OK button.
  14. You will be prompted to enter a password twice (in the Certificate backup password: and Certificate backup password (again): fields.  Be sure to use upper- and lowercase characters, special characters and numbers.  There will also be an indicator of the password quality. You will not be able to save the file until the password quality meter is pegged. (IMPORTANT NOTE: Please save this password in a safe location!!! This encryption password will be requigreen to import your OSG certificate and private key.)
  15. Click the OK button.

The file will be saved as file_name.p12.

Importing Certificates/Private Keys

in order to use your OSG certificate and private key on grid resources or submit machines, copy your file_name.p12 file to the $HOME/.globus directory [if you don't have a .globus directory, create one: mkdir .globus] on that machine, change its name to usercred.p12 and set its permissions as follows:

mv $HOME/.globus/file_name.p12 $HOME/.globus/usercred.p12
chmod 400 $HOME/.globus/usercred.p12




User commands currently support both p12 and pem certificates. There is no need to convert your p12 certificate. However, if you also want to have the certificate in .pem format, then run the following commands. The first one extracts your public key, the second extracts your private key.  (NOTE: You will be prompted for your encryption password when executing these commands.)

openssl pkcs12 -in $HOME/.globus/file_name.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in $HOME/.globus/file_name.p12 -nocerts -out $HOME/.globus/userkey.pem




You must set the protections on your two new .pem files correctly, otherwise voms-proxy-init will not use them.

chmod go-rw ~/.globus/userkey.pem
chmod go-w ~/.globus/usercert.pem



Process for Certificate Validation

Each SURAgrid institution must identify at least one individual who can vaildate OSG certificate requests for people from their institution.  These certificate validators (or sponsors) must either be able to recognize the requestor by voice or must have the requestor assert who they are though face-to-face identification.  They must also have their OSG private key imported into their email client to digitally sign email messages.  (NOTE: The procedure for importing the private key is dependent on the email client and is out of scope of this documentation.)  The process for certificate validation is as follows:

  1. After a user has requested a certificate (providing the certificate sponsor's name, email address, and phone number during the process), the OSG Grid Operations Center (GOC) will send a signed email to the sponsor asking them to validate the certificate request.
  2. The sponsor will establish the identity of the requestor, either through voice recognition or in a face-to-face setting, and ask if that individual requested the OSG certificate.
  3. Assuming the answer is 'yes', the sponsor will reply to the OSG GOC email indicating that the request for an OSG certificate is valid.  The sponsor MUST sign the email using their OSG private key.  Otherwise, the OSG GOC will not consider the validating email to be legitimate.
  4. The requestor will receive an email from the OSG GOC indicating that their certificate has been created.  The email will contain a Web link to retrieve the OSG certificate and private key, which should be pasted into the location field of either a Firefox for Windows or Safari for Macintosh Web browser.
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox