By Louis Pelosi |

How to download, export, and convert your new grid certificate.

Download and import the certificate

To download and install your certificate:

  • ATLAS users: visit the CERN CA site to request a new certificate or renew an existing one.
  • OSG users: follow the instructions given here. You'll receive an email informing you that your new certificate has been approved and is ready for download.
    When you open and follow the link for downloading your new certificate, it is important that you do so using the same browser in which you completed the certificate request form, as it contains your private key.

Your web browser should now be equipped with a complete grid certificate, including a private key from your original request, and a public key signed by the signing certificate authority (CA).

With the grid certificate properly loaded, PHENIX and STAR users can now register for the PHENIX VO or the STAR VO, or continue with these instructions to prepare for using the grid (if necessary).  ATLAS users must wait until their CERN registration is complete (unless they're already registered CERN users) before proceeding with registration for the ATLAS VO.

Export the certificate

Before you can use your certificate to perform grid tasks, you'll need to export it from your browser to your home directory. If you already have a downloaded and saved file, there is no need to export the certificate again.

  1. Select your certificate:
    • In Firefox: Click Preferences (or Options), click Advanced, click the Encryption tab, click View Certificates, and then click the Your Certificates tab.
    • In Chrome: Click Settings -> Show advanced settings, and under HTTPS/SSL, click Manage certificates.
      For OS X users, this will open the Keychain Access application.
    • In Microsoft Internet Explorer or Edge: Click the Search icon (or Windows+R keys for the Run dialog), type certmgr.msc and press Enter. Under Certificates - Current User, click Personal -> Certificates, in the right-hand pane, right-click your certificate, and select All Tasks -> Export. In the Export wizard, be sure to export the private key, include all certificates and extended properties, and protect the key with a password.
    • In Mozilla v1.7 or Seamonkey v1 (Linux): Click Edit -> Preferences, expand Privacy & Security, click Certificates, and then click Manage Certificates.
  2. Select your new certificate, click Backup (or Export), remember the password you use when exporting (else this exported file becomes useless), and save this file to a safe location on your computer or in your directory.

If the computer you are using is shared with other users, be sure to remove this copy of the file when you're finished. Apply a good password to the backup when you are given the option, and be sure to remember this password. If your browser supports the option to use a password mechanism for its certificate storage, be sure to use that option.

Convert the certificate

Exporting the certificate file from your browser will result in a PKCS12 (.p12) file; Globus and other grid frameworks require a separate certificate and key pair or files in PEM (.pem) format. To convert the new certificate for use in grid jobs:

  1. Use the openssl pkcs12 command to convert the certificate and its private key:
    openssl pkcs12 -in [your-cert-file] -clcerts -nokeys -out ~/.globus/usercert.pem
    openssl pkcs12 -in [your-cert-file] -nocerts -out ~/.globus/userkey.pem
    In response to each command, you will be prompted for one or both of two passwords:
    • Enter Import Password: This is the password you created when you exported your certificate from your browser.
    • Enter PEM pass phrase: This is the Challenge Phrase Password that will be used each time you use your certificate/key pair.
      If your certificate was issued by CERN: enter (and verify) a new pass phrase here, and be sure to remember or record it for future use.
      For certificates issued by certificate authorities (CAs) other than CERN: if you created a passphrase when you requested your certificate, enter (and verify) that pass phrase here.
  2. Change permissions to protect the converted certificate and key files:
    • In Linux/UNIX/Mac:
      chmod 0600 ~/.globus/usercert.pem
      chmod 0400 ~/.globus/userkey.pem
    • In Windows:
      1. Right-click the file userkey.pem, and choose Properties.
      2. Change the Permissions settings so that you have Write permissions, and that no permissions at all are selected for Group and World.
      3. Do the same for the file usercert.pem, and ensure that you (and only you) have read and write permissions.
    Note that the above instructions enforce the fact that some applications insist on owner-read-only permissions for the private key instead of owner-read-and-write (`600`), meaning you will need to change or override the file's permissions in order to change its contents (i.e., to change the key for a future certificate).