Requesting a grid certificate from the Nordugrid CA

From SNIC Documentation
Revision as of 08:52, 17 October 2019 by Niklas Edmundsson (HPC2N) (talk | contribs) (Try to clarify documentation flow for user reading it top-down)
Jump to: navigation, search

< Grid certificates

The first step in acquiring a certificate from the nordugrid CA is to create a certificate request.

Creating a certificate request

Certificate requests can be created using any compatible tool. Here we outline the two most common ones on SNIC systems.

Creating a certificate request using the ARC tools

This is done using the grid-cert-request -int command. (The -int options means interactive usage). When issued, the tool will generate a certificate request and a private key. The tool will also ask for a password to protect the private key. Note, if the password is lost a new certificate must be obtained. The process is shown below:

First the private key is generated:

$ grid-cert-request -int
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password,
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.

Using configuration from /etc/grid-security/globus-user-ssl.conf
Generating a 1024 bit RSA private key
writing new private key to '/home/jonas/.globus/userkey.pem'

To protect the private key from unauthorized access it is encrypted using a pass phrase. If this pass phrase is empty, anyone with access to your private key and certificate can gain access to the resources you have been granted. The pass phrase should also be different from your normal login password, so if your local system has been compromised the private key is still protected.:

You are about to be asked to enter information that will be
incorporated into your certificate request. What you are about to
enter is what is called a Distinguished Name or a DN. There are
quite a few fields but you can leave some blank For some fields
there will be a default value, If you enter '.', the field will be
left blank.
Level 0 Organization Name (do not modify) [Grid]:
Level 1 Organization Name (do not modify) [NorduGrid]:

The following questions regards your affiliation domain and your email. It is important that your domain and the domain in the email address is the same.:

Your Domain []
Name (e.g., Hans Christian Andersen) []:Joe User
Email address (e.g., []:joe.user@

Finally the private key and a certificate request are generated.:

A private key and a certificate request has been generated with
the subject:

/O=Grid/O=NorduGrid/ User/Email=joe.user@

If the CN=Joe User/ is not appropriate,
rerun this script with the -force -cn "Common Name" options.

Your private key is stored in /home/joe/.globus/userkey.pem
Your request is stored in /home/joe/.globus/usercert_request.pem

Please e-mail the request to the NorduGrid Certification Authority You may use a command similar to the following:

  cat /home/jonas/.globus/usercert_request.pem | mail

Only use the above if this machine can send AND receive e-mail. if
not, please mail using some other method.

Your certificate will be mailed to you within two working days. If
you receive no response, contact NorduGrid Certification Authority

Creating a certificate request using openssl

If grid-proxy-init isn't available you can use openssl to create a certificate request and a private key. Openssl will ask for a password to protect the private key. Note, if the password or private key is lost, a new certificate must be obtained. The process is shown below:

$ mkdir -p ~/.globus
$ openssl req -new -newkey rsa:2048 \
  -out ~/.globus/usercert_request.pem \
  -keyout ~/.globus/userkey.pem \
  -subj "/O=Grid/O=NorduGrid/ Kula/"
Generating a 2048 bit RSA private key
writing new private key to '~/.globus/userkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Modify OU, CN and emailAddress as necessary. It is probably important that your OU and the domain in the email address are the same.

Sending the certificate request to the Nordugrid CA

When the certificate request is created there will be 2 files, userkey.pem and usercert_request.pem, in a subdirectory called .globus in your home directory. The userkey.pem is your private key and should not be world readable. This can be achieved by using chmod 400 ~/.globus/userkey.pem.

The contents of the usercert_request.pem should be sent by mail to you neareast Registration Authority (RA). The RA will verify your request and verify your identity. This can involve meeting with the RA and proving your identity with a passport or equivalent documents. The current list of RA:s can be found at the following page:

Installing the certificate in your home directory

When certificate request is signed by the CA you will receive a mail with the certificate.

The important parts of the mail are shown below::


Copy the part shown above into the file usercert.pem in the .globus directory in your home directory.

Installing the certificate in your browser

To use the requested certificate in your browser it has to be converted to pkcs12 format. This can be done using the following commands (on a linux/unix based system):

$ cd ~/.globus
$ openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out DELETE_ME.p12

First openssl ask for your passphrase for your private key.

Enter pass phrase for userkey.pem:

As the pkcs12 file will consist of both your public and private key, the generated file is protected by an additional passphrase which openssl asks for:

Enter Export Password:
Verifying - Enter Export Password:

The generated file, DELETE_ME.p12, can then be imported into your web browser.

To import the certificate in Firefox, open the "Advanced" tab in the Preferences dialog, and select the "Encryption" tab. Click the "Certificates" button and then the "Import..." button. Select your generated DELETE_ME.p12 file, and Firefox will then ask you for the export passphrase to entered in the openssl command. In Chrome, the procedure is pretty much the same, except you have to go to "Settings" and click "Under the Hood" in the sidebar and then the "Manage certificates..." button to find the "Import..." button.

On Mac OSX most browsers (except Firefox) use the keychain to store certificates, and you can import DELETE_ME.p12 to the keychain by double clicking it in the finder.

Do not forget to delete DELETE_ME.p12 when you are done.

This concludes the setup process, you might want to return to the Grid certificates page.

Renewing a NorduGrid user certificate

Renewing a certificate is needed when and old certificate is about to expire.

Go into your .globus directory. There you can make a new directory and jump into it to create your new certificates, while still be able to to use the old ones as long as they are valid.

mkdir new`date +%y%m%d`
cd new`date +%y%m%d`
openssl req -newkey rsa:2048 -keyout newuserkey.pem -subj "/O=Grid/O=NorduGrid/ Lastname/" -new -out usercert_request.pem
chmod 400 newuserkey.pem

Note: Firstname Lastname do not need to be uppercase. If you change case/spelling/email-address in your certificate when renewing a certificate, then RT-systems, web-servers, wiki et cetera will likely not recognize you, as it is often done through plain character string matching! So check what your had in your old cert in beforehand.

Update: For user certificates it is no longer necessary to create a signaturefile, but this is how you would have done it:

openssl dgst -binary -sign ../userkey.pem < usercert_request.pem > req.sig

Mailing your renewal request

You will have to send an email with the *_request.pem file inline and the eventual sigfile attached. For human readability and faster responsetime it can be recommended to also paste the output of

openssl req -in usercert_request.pem -noout -text

into the body of the email. Another appreciated information is the time when your current certificate will expire. The recipient of your email is generally your RA (the one you used when asking for your previous cert, see above) who will control, sign and forward it for you to

If you are able to sign the mail (signing doesn't mean attaching!!!) with the still valid old certificate in PKCS12 format you can send it directly to the CA at In that case you don't need to give the information of when your current certificate will expire since it is obvious. It is still recommended though that you CC your RA who can then inform you of any expected delays and could point out if your signature doesn't look valid.