GridKaHOWTO

Follow the whole process with the same user and the same browser!

If you use Firefox, please ensure to use version ESR version 60 or 68 as Mozilla dropped support for the key generation infrastructure starting with version 69

On macOS you can also use Safari, but you need to manually retrieve the key and certificate from keychain afterwards. If you choose this route, please ensure to export BOTH at the same time into usercred.p12

This HOWTO shows you how to get your personal GridKa -certificate.

Applying for a certificate.

1. Go to the GridKA web site. You can switch to English (flag on the upper left corner) if you like.
2. Click on Your first personal certificate in the top panel and enter your personal information. Be sure to fill out all fields marked with a '*' and choose AEI as Organization. Use your '@aei.mpg.de' Email! If done, click send.
3. Verify the data and click send again to continue.
4. You should now see a summary of your data and the confirmation, that the request was send. You should also receive an email to your address.
5. If you are in Hannover, please print out this form, fill it out and go and see Konrad Mors or Oliver Behnke. Please tell him they should verify your passport and sign your certificate request.

Getting your certificate

1. After a couple of days, you should get an e-mail saying that your certificate is waiting for you. The email should provide you with a link as well as a password.
2. On the page, enter your last name and your password.
3. As a confirmation, your certificate is shown. Click on fetch next to the certificate in the table to load it into your browser.

After this step you should have your certificate imported in your browser. To use it in Globus you need to export it from you browser and need to convert to a suitable format. Please read on how to do that.

Export you certificate from your browser

Firefox

Edit (Menu) -> Preferences (Item) -> Advanced (in preferences windows) -> Encryption (tab) -> View Certificates (Button)

A new window opens showing all the certificates. Make sure you are in the Your Certificates tab. Click on your certificate (with your name) and click on Backup... and choose a backup location of your choice. This file is just used temporarily and can be deleted afterwards - or copied to a secure storage. For the remainder of this part we will assume you named it yourpkcsfile.p12. The browser will prompt you for an export password which you should use. If someone else finds this file, she/he can use it and pretend to be you!

Using the browser "native" .p12 file

Recent globus versions will recognize the .p12 files. Simply move your backup to ~/.globus/usercred.p12 and ensure that the permissions are strict, i.e. chmod 600 ~/.globus/usercred.p12. It's important to delete or move the old files away, i.e. if you have both .p12 and .pem files in the .globus directory, the grid tools will only try the .pem files!

That should be all

Closing remarks

Side note: If you are asked for your identity and you don't remember it, just fire up a grid-proxy and then run = grid-proxy-info|grep ident=. For Carsten's case it outputs: identity : /O=GermanGrid/OU=AEI/CN=Carsten Aulbert, this is the info remote admins need to know.

converting pem into pkcs12 format

You may find it useful to keep your certificate in the browser, but in case you accidentally deleted it and need to re-import it to extend the certificate for another year, please follow this recipe:

To reimport your certificate in your browser, you need the .p12 -format again. With this command, you can create a .p12-file using your public and private key (in .pem-format).

openssl pkcs12 -export -out cert.p12 -inkey userkey.pem -in usercert.pem

The resulting file cert.p12 can then be re-imported at the very same tab where the backup option is located. After that, it's essentially the same, except that you opt to renew your persoanl certificate.

Conversion into Globus needed PEM format (probably not needed anymore)

You browser created a .p12 (also called pkcs12) certificate, but Globus needs it in another format which is called PEM. This seems to have changed, if you want to give it a try, please read on in the next section! Take your exported certificate and run the follwoing two commands to extract the key and certificate in PEM format:

1. Extract the private user key: _(It will ask you the exmport password and PEM pass phrase)
   openssl pkcs12 -nocerts -in yourpkcsfile.p12 -out userkey.pem
2. Extract the public user certificate: _(It will ask you the exmport password)
   openssl pkcs12 -clcerts -nokeys -in yourpkcsfile.p12 -out usercert.pem

At this point you are all set. These two files should be copied into your ~/.globus with the very same names - please don't alter those. Please also ensure that the file permissions are set in a way that only you can see it, i.e. chmod 600 ~/.globus/user{cert,key}.pem. Now you should be able to start grid-proxy-init to create a grid-proxy and a grid-enabled ssh to log into a remote machine by your certificate.

gsi ssh

• install the gsi-openssh-client. see https://www.lsc-group.phys.uwm.edu/lscdatagrid/doc/installclient.html.