Grid Certificates

Before one can gain access to the Grid, you must request a certificate. This done via the CA Grid certificate website. The official entry point is http://www.grid-support.ac.uk/ca/, where documentation is also found.

This Wiki page does not attempt to replace the official documentation, but only to help you find your way through it.

Preparing to Request a Certificate

With the help of the user documentation, choose which browser you intend to use for requesting your certificate: you must also use this actual same browser (and browser profile) for receiving the certificate when it is issued, so make your plans accordingly.

After submitting your request, therefore, until you have successfully received the issued certificate, do not re-install the browser, do not change its profile etc., or else your certificate will be useless.

Supported Browsers

At time of writing, browsers such as Firefox, MSIE or Mozilla are supported for requesting your certificate.

Some browsers, e.g Mozilla and Firefox, have a "master password" on their certificate database. If you are sure that you never set a master password before, you will be asked to set one at an appropriate time: this is fine - skip the rest of this paragraph. If you have previously worked with certificates in that browser or browser-profile, and thus have previously set a master password, you must remember that master password. Hint: if this applies to you, try export/backup one of your previous certificates, and verify that your master password works, before starting the application procedure. Failing this: in e.g Mozilla, if you are certain that you will never need the existing contents of your certificate store, you can override the master password with "Reset Master Password"; otherwise start a different browser profile (with e.g Mozilla's profile manager), or use an unrelated browser.

Having selected the browser you are going to use, first carry out these preliminaries with it: follow the 'How To Guide' menu item and then install the eScience root certificate and the CA certificate as described in the 'How to get the CA root certificates' section.

This is very important, as, when trying to import the issued Grid Certificate, the CA must be trusted by your browser, i.e. you should have the CA certificates as trusted authorities in your browser. See the section 'Check CA certificates are there' on the 'How To Guide' page.

Requesting a User Certificate

Getting your certificate consists of a number of steps, which need to be carried out with care. If not done correctly, it may be impossible to use your issued certificate, meaning that the issued certificate has to be revoked, and the whole procedure repeated, causing extra work for yourself and for the RA and the CA; so please follow the steps carefully.

After reviewing the documentation, from http://www.grid-support.ac.uk/ca/ follow the 'Apply for a Certificate' menu item and select the 'Request a Certificate' tab then select 'User Certificate'. Your 'RA' is 'Glasgow Compserv'.

Having entered the relevant information to request the certificate, you contact one of the 'Glasgow Compserv' RA operators. You will need to take a form of photographic id with you and proof that you are a member of the group - if you are a Phd student, your matriculation card will suffice.

Once your request has been authorised, it is queued to be issued by the CA, and (typically within 1-2 working days) you will receive an email from the Grid Support containing a link to the CA site where you can enter your certificate serial number (this will be detailed in the email you recieve) or you can just follow the link in the email.

IMPORTANT: You must receive the certificate into the same Browser from which you requested it.

Keeping a safe copy (backup) of your certificate

Once you have downloaded your certificate into your browser, you must export it to your computer where you can make a copy to be kept separately on a floppy disc, zip disk, USB storage drive etc (this is also important as it means if the original certificate is lost you are able to restore it, or move it to a new computer). The RA operator should have handed you a copy of the instructions 'Caring for your e-science digital certificate' which will detail the process of exporting your certificate: this is also available (and may be updated from time to time) on the documentation area at the CA web site.

Be sure to make this exported copy promptly and remember the passwords/phrases which you used to protect your certificate

The reason is that in the event of computer failure, browser defect etc. during the validity of the certificate, you would be unable to fetch another copy of your certificate from the CA: if you had no backup copy, you would need to get your (now-unusable) certificate revoked, and request a new one from scratch.

The certificate identifies you

Your certificate identifies you. If it falls into the wrong hands, it can be used to impersonate you, so take care of it. However, it does not, in itself, entitle you to do anything. Before you can get access to facilities, you will need to register as a member of the appropriate VO.

Preparing the certificate for use with GRID

Firstly make a directory called .globus ( note '.' ). Then move your certificate .p12 or .pfx file into the .Globus directory. You must now split the certificate into a private key, which is protected by your password and identifies you as the Grid user when you submit a job, and into a user certificate. The command for doing this is:

openssl pkcs12 -clcerts -nokeys -in cert.pfx -out usercert.pem   #this creates the certificate

openssl pkcs12 -nocerts -in cert.pfx -out userkey.pem   #this creates your private key

You will be asked to enter your passphrase (which you will have created when exporting your certificate) and then to enter and verify a new .pem passphrase. Having done this, your certificate should now be separated into usercert.pem and userkey.pem.

You need to change the permissions of the .pem files that you have just created.

chmod 400 userkey.pem

chmod 444 usercert.pem

You should, at this point, check that you have your certificate in your browser. The menu paths in Mozilla or Firefox are similar to those shown above for the CA, but at the end, instead of "Authorities", take the "Your Certificates" tab, and your eScience certificate should be there. If it not, select IMPORT and then import the certificate to the browser from wherever in your home directory you have saved it.

-- AndrewPickford - 13 Feb 2009

Topic revision: r4 - 2016-04-21 - GordonStewart
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback