Requesting a grid certificate using the Digicert SSO Portal

From SNIC Documentation
Revision as of 12:57, 26 September 2019 by Thomas Bellman (NSC) (talk | contribs) (Minor rewording)
Jump to: navigation, search

< Grid certificates

Browser Support

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate directly in the browser, you need to be using one of these:

  • Safari
  • Internet Explorer
  • Firefox ESR (as long as they are based on Firefox before version 69)

If that is your case, you can follow the simpler instructions below.

For other browsers you need to follow the more complex instructions below.

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

Set a master password

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

Requesting a personal grid certificate directly in the browser

  1. Start a suitable web browser (see Browser Support above for details):
    1. Windows:
      1. Internet Explorer
      2. Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
    2. macOS:
      1. Safari
      2. Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
    3. Linux/Unix:
      1. Firefox up to version 68 (obtained certificate is only available to Firefox)
  2. Go to https://digicert.com/sso
  3. Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
    File:Digicert-idp.png
  4. Login at your home university.
  5. Select the Grid Premium product.
    File:Digicert-product-select.png
  6. Normally, leave the CSR field blank to get a key generated in your browser.
  7. Press "Request Certificate".
  8. Your certificate is generated and should be automatically imported into your browser.

Requesting a personal grid certificate using CSR created outside of the browser

  1. Start a suitable web browser
    1. Windows:
      1. Internet Explorer
      2. Edge
      3. Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
    2. macOS:
      1. Safari
      2. Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
    3. Linux/Unix:
      1. Firefox (obtained certificate is only available to Firefox)
      2. Chrome
  2. Go to https://digicert.com/sso
  3. Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
    File:Digicert-idp.png
  4. Login at your home university.
  5. Select the Grid Premium product.
    File:Digicert-product-select.png
  6. Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chown go= userkey.pem
cat usercert_request.pem
  1. Paste the CSR text into the "CSR" text box
  2. Press "Request Certificate".
  3. Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
  4. Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.
 unzip mitt_namn_namne12_foo_se.zip
 openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12
  1. Import the PKCS#12 file into your browser(s):
    1. Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
    2. Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
    3. Other browsers: Please help us out by providing instructions.
  2. Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
  3. Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.

Exporting the Digicert certificate

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See Exporting a client certificate for detailed instructions on how to export a Digicert certificate from the most popular browsers.

Adding certificate to OS certificate store

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

Windows: FIXME: Investigate and update instructions accordingly.

Using the certificate with grid tools

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See Preparing a client certificate for detailed instructions on how to prepare an exported certificate for use with grid tools.