User Tools

Site Tools


users:taarre:cert

Getting a GRID certificate

Getting a Grid certificate

Follow the steps at CRABPrerequisitesGRIDCredentials to get your certificate. To import the certificate to your Mac follow these guidelines (Another installation guide can be found at Grid Certificate installation instructions ).

Getting a new Grid certificate when having an old one

  • Request new certificate here (using Firefox)
  • Install it in your browser with the link you get
  • Backup by Preferences–>Advanced–>View certificates–>Backup. Save .p12 file in your home directory (see under, “Installation of the certificate). If you have an old from before don't delete it, but save the new one under a different name.
  • If you have an existing cert+key pair in your .globus/ folder, rename the old ones as eg. userkey.pem_old and keep in the globus folder
  • After having extracted cert+key, remember to copy your new certificates to where you need then (PSI, lxplus, private computer…) by copying the .globus/ folder. Remember to set the permissions again and rename the old .globus/ folder before copying the new one!
  • To register the new certificate with the CMS vo registration, you need to use your old certificate in the browser. To use the old certificate you might need to do Preferences–>Privacy–>Clear History and Preferences–>Advanced–> Tick “Ask me everytime” for what do do when a server asks for your certificate. Close and reopen your browser and go to the cms VO registration. When asked what certificate to use in the pop-up window, choose your old one.
  • At cms VO registration, go to Member Info–>Certificates–>Add Certificate. You can get the new DN by doing voms-proxy-info at lxplus.
  • Once the new certificate is approved, you can make it your primary certificate by going to Member Info–>Certificates–>Change Primary Certificate

Installation of the certificate

After the successful application, the certificate has to be installed in the user's home directory following these instructions:

Export or 'backup' the certificate from the browser used for the application. The interface for this varies from browser to browser. The exported file will probably have the extension .p12 or .pfx. Guard this file carefully. Store it off your computer, or remove it once you are finished with this process.

Copy the file to the user's home directory.

Create a directory in the user's home directory

mkdir $HOME/.globus

Extract the certificate creating a public and a private key file replacing YourCert.p12 with the filename chosen during step 1:

openssl pkcs12 -in YourCert.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in YourCert.p12 -nocerts -out $HOME/.globus/userkey.pem

The user will be asked to define a passphrase during this step. This passphrase has to be entered every time a proxy is created from the certificate. For security reasons, an empty passphrase is not adviseable.

Set the access mode on your userkey.pem and usercert.pem files

chmod 400 $HOME/.globus/userkey.pem 
chmod 600 $HOME/.globus/usercert.pem

Further protection of the $HOME/.globus directory is necessary to prevent everyone except the user to enter this directory:

chmod go-rx $HOME/.globus

If the $HOME/.globus directory holding the certificate resides in an afs home-directory, the directory has to be secured using afs-tools in addition to set the normal unix file access permissions

fs setacl -dir $HOME/.globus -acl system:anyuser l

The user's GRID certificate (usercert.pem and userkey.pem) can be copied to every other machine to access the GRID by transporting the $HOME/.globus directory. The security measures described above have to be repeated.

users/taarre/cert.txt · Last modified: 2019/10/24 17:18 by iwn