• Print
• View
• History
• Login

User Certificates for the Grid

User Certificates for using the Grid - OSG

[25 Feb 2009] It is expected that SA-CA Certificates will be recognised by OSG, in the future. At the moment, OSG Certificates can be obtained from the DOEgrids CA. Please note that you will need to indicate a recognised "sponsor".

• OSG - What is a certificate?
• OSG - How do I get a DOEGrids PKI/X509 Personal Certificate?
• OSG - User Certificates

User Certificates for using the Grid - SAGrid

[25 Feb 2009] The South African Certification Authorithy is still being established by Meraka. As a temporary alternative, you can use one of the Registration Authorities in South Africa (operating under the INFN CA)

• iThemba LABS, South Africa: Sean Murray
• Meraka Institute, South Africa: Albert Gazendam, Nelson Selisa

Temporary, short lived certificates can be obtained from GILDA, the Education and Training organisation of the EGEE

• Gilda Certification Authority for temporary certificates for EGEE/gLite

Secure the certificate

The Certificate is a document that constitutes your credentials in the Grid, like an ID card or a passport in the real world; and like an ID card or passport, it must be protected from abuses. You should never keep a copy of your Certificate protected by no password or by a weak password; not even on your personal notebook. If you suspect your Certificate may have been accessed by others (for example, if your computer has been infected by a virus or a trojan), you will have to report the fact to the issuing Registration Authority, which will revoke the old Certificate and issue a new one.

 If you use your Firefox or any other web browser to generate, store, use your Grid Certificates, you MUST secure the browser with a password. 

• in Firefox (all platforms), Preferences/Security/Use a master password
• in Safari (Mac OsX) certificates are stored in the KeyChain, which by default uses the same password as the user account; make sure your account has a password.
  Please note that Safari does not automatically offer your public key to sites which do not request it. While this is an appropriate behaviour, it makes it incompatible with many Certification Authority websites. See http://support.apple.com/kb/HT1679

Saving the certificate from Firefox

• open Preference panel
• switch to "Advanced" tab
• Click View Certificates
• switch to "Your Certificates" tab
• select the certificate
• click Backup...
• choose a name for the pkcs12 (.p12) file; possibly include in the name the authority name and expiration date (e.g. Sergio_Ballestrero_GILDA-20090312.p12)
• use a good password. Security is important.
• copy the file to the UI server
• unpack the pkcs12 file into userkey.pem and userconf.pem

[sergio@glite-ui .globus]$ openssl pkcs12 -in MYCERT.p12 -nocerts -out userkey.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
[sergio@glite-ui .globus]$ chmod go-r userkey.pem 
[sergio@glite-ui .globus]$ openssl pkcs12 -in MYCERT.p12 -clcerts -nokeys -out usercert.pem
Enter Import Password:
MAC verified OK
[sergio@glite-ui .globus]$ openssl x509 -in usercert.pem -noout -subject
subject= /C=IT/O=GILDA/OU=Personal Certificate/L=University of Johannesburg/CN=Sergio Ballestrero

When you have both an OSG and a gLite certificate

by default voms-proxy-init uses the certificate under ~/.globus, but you can specify alternative ones:

[sergio@glite-ui ~]$ voms-proxy-init -debug -voms gilda \
 -key ~/.globus/gilda2/userkey.pem -cert ~/.globus/gilda2/usercert.pem 
Detected Globus version: 22
Unspecified proxy version, settling on Globus version: 2
Number of bits in key :512
Using configuration file /nfs/home/sergio/.glite/vomses
Using configuration file /opt/glite/etc/vomses
Files being used:
 CA certificate file: none
 Trusted certificates directory : /etc/grid-security/certificates
 Proxy certificate file : /tmp/x509up_u599
 User certificate file: /nfs/home/sergio/.globus/gilda2/usercert.pem
 User key file: /nfs/home/sergio/.globus/gilda2/userkey.pem
Output to /tmp/x509up_u599
Enter GRID pass phrase:
Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=University of Johannesburg/CN=Sergio Ballestrero
Using configuration file /nfs/home/sergio/.glite/vomses
Using configuration file /nfs/home/sergio/.glite/vomses
Using configuration file /opt/glite/etc/vomses
Using configuration file /opt/glite/etc/vomses
Using configuration file /nfs/home/sergio/.glite/vomses
Using configuration file /opt/glite/etc/vomses
Creating proxy to /tmp/x509up_u599 ...............++++++++++++
..........................++++++++++++
 Done
Your proxy is valid until Thu Feb 26 05:54:07 2009