Difference between revisions of "Requesting a grid certificate using the Terena eScience Portal"

From SNIC Documentation
Jump to: navigation, search
m (The Firefox encryption prefs can be found in different locations...)
m (Clarify that clicking next is usually good enough.)
Line 33: Line 33:
  
  
6. To create a new certificate, click on the "New certificate" link and follow the instructions. When the process is completed your certificate will be listed on the same page.
+
6. To create a new certificate, click on the "New certificate" link. Follow the instructions, clicking '''next''' where possible (the defaults are usually OK). When the process is completed your certificate will be listed on the same page.
  
 
7. Install the signed certificate in your browser by clicking on the "Install in keystore" link. This will install the certificate in the key-store of your browser. On Mac OSX, most browsers (except Firefox) will instead offer to save the certificate file by default, and in order to use it you must import it to your keychain. You can for example do this by double clicking it in the finder.
 
7. Install the signed certificate in your browser by clicking on the "Install in keystore" link. This will install the certificate in the key-store of your browser. On Mac OSX, most browsers (except Firefox) will instead offer to save the certificate file by default, and in order to use it you must import it to your keychain. You can for example do this by double clicking it in the finder.

Revision as of 06:54, 22 May 2013

< Grid certificates


The Terena eScience Portal is an effort to provide users with a tool for requesting grid-certificates using the credentials from their home-institution or university.

To request a Terena eScience Certificate go to the following URL: https://tcs-escience.sunet.se

It's vital that you DON'T use https://tcs-personal.sunet.se. This is a very similar portal, but you will not get a certificate that is usable in the grid community like DEISA, Swegrid and Swestore.

A screencast version of this instruction is available here.

The detailed procedure is as follows:

1. Click "Login"

2. If requested, click on Sweden on the map.

3. Choose your identity provider in the drop down box. This is usually your home university.

4. Login using your credentials from your identity provider (your university).

You should now arrive to a "home" page that shown below:

Terena1.png

5. Click on the "My certificates" link in the top left side of the page. You should then arrive to a page from which you will create and manage your certificates.

Terena2.png


6. To create a new certificate, click on the "New certificate" link. Follow the instructions, clicking next where possible (the defaults are usually OK). When the process is completed your certificate will be listed on the same page.

7. Install the signed certificate in your browser by clicking on the "Install in keystore" link. This will install the certificate in the key-store of your browser. On Mac OSX, most browsers (except Firefox) will instead offer to save the certificate file by default, and in order to use it you must import it to your keychain. You can for example do this by double clicking it in the finder.

The resulting certificate Subject or DN should at this point start with "/DC=org/DC=terena/DC=tcs/". If it starts with "/C=SE/O=YOUR SITE/" then you have the wrong type of certificate. Please make sure you use the right portal above. If the problem persists, please contact support@swegrid.se before proceeding

Exporting Terena certificate for use with Grid tools

To use the Terena certificates with the ARC grid client they have to be exported from the browser and converted into a suitable format. To export and convert a certificate installed the following procedure can be used:

1. Export the installed certificate in the PKCS12 format. On Mac OSX, select both the private key and the certificate by clicking them while holding the apple key, then right click one of them and select "Export 2 items..." and save as DELETE_ME.p12 in a good location. In Firefox this is accomplished from the Options -> Advanced -> Encryption or Edit -> Preferences -> Advanced -> Encryption Dialog (depending on OS/Version), shown below:

Browser1.png

To show all installed certificate click on the "View Certificates" buttton. This will shown the following dialog:

Browser2.png

To backup your newly created certificate select the Terena certificate and click on the "Backup" button in the previous dialog. This brings up a dialog for selecting a filename and location for the certificate. Save your certificate as DELETE_ME.p12 in a good location. The file with be given the extension .p12 indicating that it is a PKCS12 certificate. When the location has been selected another dialog is shown asking for a export password. This password will protect the certificate and private key. As shown in the next figure:

Browser3.png

Use the password quality meter to choose a strong password for the exported certificate and private key. In Chrome the procedure is pretty much identical except that the "Export..." button is found by going to the Chrome Settings, clicking "Under the Hood" in the sidebar and then the "Manage Certificates..." button.

2. Converting the PKCS12 certificate to a format suitable for use with grid clients (PEM)

Create a directory, .globus, in your home directory.

Linux / Unix:

$ cd ~
$ mkdir .globus
$ cd .globus

In windows

C:\...\>cd C:\Users\<username>
C:\...\>mkdir .globus
C:\...\>cd .globus

Using the "openssl" command we now convert the exported certifcate to the correct format. Windows users: OpenSSL for Windows is available here.

The first step is to convert the private key. The openssl command will first ask for the password chosen when the certificate was exported ("Enter Import Password:"). In the next step the pass phrase for the exported private key is chosen ("Enter PEM pass phrase:"). Please choose a strong passphrase.

openssl pkcs12 -nocerts -in DELETE_ME.p12 -out userkey.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

In the next step the certificate is converted. In the same way as with the private key we have to specify the export password again ("Enter Import Password:").

openssl pkcs12 -clcerts -nokeys -in DELETE_ME.p12 -out usercert.pem
Enter Import Password:
MAC verified OK

Before we can use the private key with or client tools the permissions on the private key file (userkey.pem) has to changed to a more restrictive setting (Linux/Unix):

chmod 400 userkey.pem

Do not forget to delete DELETE_ME.p12 when you are done.