DigiCert certificate¶
This section describes how to obtain and install a DigiCert Grid certificate. This is a prerequisite to get started on the Grid.
Obtain a DigiCert certificate¶
DigiCert CA allows you to get your Grid certificate instantly from the GEANT Trusted Certificate Service (former was the Terena portal), by using your institutional login and SURFconext.
Open a Firefox browser in your laptop or in your UI account
Access the DigiCert portal
Select your institution from the list and login with your account
Request a so called Grid certificate. Select: Product:
Grid PremiumIn the past, you could leave the CSR empty and your browser would generate one. This no longer works. You will have to paste your own CSR. Open a terminal on your laptop or from the UI generate the CSR with the following commands:
$openssl genrsa -aes256 -out userkey.pem 2048 Generating RSA private key, 2048 bit long modulus ................................................+++++ .......................................................+++++ e is 65537 (0x10001) Enter pass phrase for userkey.pem: Verifying - Enter pass phrase for userkey.pem:Please choose a strong pass phrase. This is the pass phrase you will be asked in some of the steps below as well as when creating grid proxies so remember it well.
$openssl req -new -key userkey.pem -out grid.csr
Enter pass phrase for userkey.pem:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:NL
State or Province Name (full name) []:
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
Please enter your own full name as ‘Common Name’ and the institutional email address. The rest of the fields can be left empty.
The above step will create the grid.csr file. You need to copy the contents of this file in the CSR field in the Digicert portal in your browser. You can display its contents with the following command:
$cat grid.csr
After you fill in the CSR and click on request certificate, the certificate will be sent to you by email and it can also be downloaded from the DigiCert portal.
Note
If you cannot access the DigiCert portal with your institutional account, please have a look to the section “No access to the TCS service in NL” in the TCS document or contact us at helpdesk@surfsara.nl.
Change the certificate formats¶
Certificates can be stored in different formats. Different systems use different formats. The two important formats are:
PEM: stores keys and certificates in separate ascii-files; this format is used by the Grid middleware and storage programs;
PKCS12: stores keys and certificates in one binary file; this format is used by browsers.
DigiCert creates the certificates in .crt format. Below are the instructions on how to convert it into PEM and PKCS12 format.
Convert crt to PEM¶
Download the certificate file and unzip it. Open a terminal and go to the directory where the .crt files are available.
The following command will convert the certificate in the PEM format
$cat yournamefile.crt > usercert.pem #replace the yournamefile.crt file with your certificate file
Set the proper permissions to your certificate files:
$chmod 644 usercert.pem
$chmod 400 userkey.pem
Convert PEM to pkcs12¶
To convert a PEM file to the PKCS12 format, run on the UI:
openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out browsercert.p12
Note that you will first need to enter the password that was used when converting the grid.key file to userkey.pem. Next, you need to enter a password to protect the exported key. Enter that password again to verify. Note that you must enter a password and the password must be at least 12 characters; if the password is too short, openssl will fail without error.
Install a DigiCert certificate on the UI¶
Open a terminal and connect to the User Interface with your personal UI account:
$ssh homer@ui.grid.sara.nl # replace "homer" with your username! For LSG users, also replace the host with your local ui.
Create a
$HOME/.globusdirectory in your UI account:
$mkdir $HOME/.globus
If you saved the certificate files on your laptop, copy it from your local machine to your
.globusdirectory on the UI.
[homer@localmachine]$scp /PATH-TO-P12-FILE/browsercert.p12 homer@ui.grid.sara.nl:~/.globus # replace "homer" with your username!
[homer@localmachine]$scp /PATH-TO-P12-FILE/usercert.key homer@ui.grid.sara.nl:~/.globus # replace "homer" with your username!
[homer@localmachine]$scp /PATH-TO-P12-FILE/usercert.pem homer@ui.grid.sara.nl:~/.globus # replace "homer" with your username!
The certificate and private key file should now be present in the .globus directory (notice the dot!) on the User Interface. Note that the private key file should be read-only and only readable to you.
Set the proper permissions to your certificate files on the UI:
$cd $HOME/.globus
$chmod 644 usercert.pem
$chmod 400 userkey.pem
Install a DigiCert certificate in your browser¶
In order to apply for a VO membership you will have to install your certificate in your browser. This can also be done from your laptop, but we will show instructions for the UI.
- To import the
.p12file in your browser, open a Firefox window ($ firefox &) on the UI and apply the following steps (Note that you may have to copy the .p12 file to a directory accessible from your browser): From the Firefox Menu bar select:
For Firefox versions older than v57.0:
Edit > Preferences > Advanced > View Certificates > ImportFor Firefox versions higher than v57.0:
Firefox > Preferences > Privacy & Security > scroll to the bottom "Security" section > View Certificates > Import
Select the
browsercert.p12file from the UI local directoryGive the password you set in the previous step.
You should now see the certificate listed. Close the window.
- To import the
Verify that your certificate is valid and properly installed in your browser by accessing this website from the browser that you have your certificate installed:
If you receive an SSL authentication error, then try repeating the steps carefully as they come. If you managed to access the page above, your certificate is successfully installed!