Requesting Personal Certificates

From SURAgrid
Revision as of 15:39, 27 August 2013 by (Talk | contribs)

Jump to: navigation, search


Obtaining and Using Personal Grid Certificates through OSG

Now that SURAgrid is a formally supported Virtual Organization within the Open Science Grid, we are able to offer our users the opportunity to obtain and use personal X.509 grid certificates directly if needed.

Note that if your institution is a member of InCommon AND is certified at the InCommon "Silver" member, you can also use the separate CILogon service to obtain a grid credential using your university's single-sign-on system, which might be easier than the process outlined below.

In either case, you will need to follow the instructions to register your grid certificate into the SURAgrid VOMS (virtual ORganization Membership Service) also, as outlined below.

You are STRONGLY encouraged to use Firefox for both Windows or Macintosh as your web browser.  In order to get your personal OSG certificate, you need to complete the following steps:

  1. Point your web browser to the URL
  2. Enter your contact information in the Contact Information field.
  3. Enter your profile information in the Profile Information field.
  4. Enter a password to be used for issuing your certificate and encrypting your private key. (IMPORTANT: If you forget this password, you will not be able to issue your certificate and import it your browser after it is approved.)
  5. Select SURAGrid from the pick list in the Sponsor field.
  6. Specify a person who can verify your identity by phone or in person. We are working to get a registration authority (RA) at each campus that is a member of SURAgrid. Please include the name of the person who can verify your identity from the list below. If you have questions please contact the SURAgrid list:
    1. James A. Lupo at LSU
    2. Alan Sill at TTU
    3. Alain Deximo at TTU
    4. Steve Johnson at TAMU
    5. Amy Wang at TTU
  7. Check the "I AGREE" box.
  8. Click on the Submit button.

After you have submitted your request for an OSG certificate, your sponsor will receive an email from the OSG Certificate Registration Authority (run by the OSG Grid Operations Center or GOC) asking them to validate your request. After your request is approved, you will receive an email which contains a link to your certificate and private key. You need to download the file that contains your user certificate and key from the link to your local computer.(IMPORTANT NOTE: You must use the SAME browser on the SAME computer that you used to request the certificate when you import the certificate and private key.)

Importing Certificates/Private Key pair to your Web Browser

Firefox for Windows

It is recommended that you export your OSG certificate and private key as a PKCS#12 file.  To export these items, follow the steps below:

  1. Click on the Tools option at the top of the browser.
  2. Select Options from the list.
  3. Click on the Advanced tab.
  4. Click on the Encryption tab.
  5. Click on the View Certificates button.
  6. Click on the Your Certificates tab.
  7. Click on the Import button.
  8. Select the certificate from the directory where you saved it (the download location).
  9. Click on the Open button.

Then you should see a message of "Successfully imported your security certificate and private key".

Other Web Browsers

To find the details for importing your user certificate to your web browser, please see the instructions through the following links.

  1. Importing User Certificate on Firefox
  2. Importing User Certificate on IE
  3. Importing User Certificate on Chrome
  4. Importing User Certificate on Safari
  5. Importing User Certificate for Command Line Use

Exporting Your Certificates/Private Key pair for use by Globus

in order to use your OSG certificate and private key on grid resources or submit machines, copy your file_name.p12 file to the $HOME/.globus directory [if you don't have a .globus directory, create one: mkdir .globus] on that machine, change its name to usercred.p12 and set its permissions as follows:

mv $HOME/.globus/file_name.p12 $HOME/.globus/usercred.p12
chmod 400 $HOME/.globus/usercred.p12

User commands currently support both p12 and pem certificates. There is no need to convert your p12 certificate. However, if you also want to have the certificate in .pem format, then run the following commands. The first one extracts your public key, the second extracts your private key.  (NOTE: You will be prompted for your encryption password when executing these commands.)

openssl pkcs12 -in $HOME/.globus/file_name.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in $HOME/.globus/file_name.p12 -nocerts -out $HOME/.globus/userkey.pem

You must set the protections on your two new .pem files correctly, otherwise voms-proxy-init will not use them.

chmod go-rw ~/.globus/userkey.pem
chmod go-w ~/.globus/usercert.pem

Personal tools