Requesting a grid certificate using the Sectigo SSO Portal

From SNIC Documentation
Jump to: navigation, search

Preparations

Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:

  • Your organization must be set up to allow this (see #Organization Support below).
  • Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.
    • Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.

Requesting a certificate

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading Digital Certificate Enrollment.

A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see #Preparations above.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

Requesting a certificate with server-side generation of key

Use this method:

  • If you can accept that the key is generated on the server side.
  • If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser.

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

  • Select Certificate Profile = GÉANT IGTF-MICS Personal (very important).
  • Select Term 395 days (should be the only option).
  • Select Enrollment Method = Key Generation.
  • Select Key Type with appropriate key length. "RSA-2048" is usually good enough.
  • Provide a password that will be used to encrypt the PKCS#12 file you get back.
  • Check the "I have read and agree to the terms of the EULA" checkbox.
  • Click the SUBMIT button and accept the click-through license.

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

Requesting a certificate using a locally generated key and CSR

Use this method:

  • If there is a policy reason for you to refuse to have the key generated on the server side.
  • If there is a technical reason that needs the key to be genereated locally.

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

  • Select Certificate Profile = GÉANT IGTF-MICS Personal (very important).
  • Select Term 395 days (should be the only option).
  • Select Enrollment Method = CSR.
  • Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below.
  • Check the "I have read and agree to the terms of the EULA" checkbox.
  • Click the SUBMIT button and accept the click-through license.

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

Hitting the maximum number of valid certs

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.

2022-05-02 Very are rather sure that the behaviour for some time now has instead been to automatically revoke older certificates to keep the window to two certificates (the most recent ones) per certificate profile.

Using the certificate

Using the certificate in the web browser

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

  • Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
  • Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
  • Other browsers: Please help us out by providing instructions.

Using the certificate with grid tools

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at Preparing a client certificate.

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

  • Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at Preparing a client certificate.

The other more direct alternative:

  • Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem.
  • Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem.

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users.

Revoking a certificate

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Appendix

Organization Support

The TCS service has changed backend provider from DigiCert to Sectigo.

This section documents organizations known to have done all the setup required to enable this for their users:

  • Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)
  • Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)
  • Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
  • Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)
  • Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)
  • Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)

Failed verification

  • Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)

Instructions aimed at your local organization's TCS and IdP administrators are found at here and they are welcome to contact tcs@sunet.se to get help with the setup.