From MariachiWiki

Contents 1 How to get a Grid Certificate 1.1 Step 1. Apply for a certificate. 1.2 Step 2. Retrieve your certificate. 1.3 Step 3. Export the certificate. 2 How to use your Grid Certificate 2.1 Trust ESnet and DOEgrids Certificate Authorities 2.2 Use your certificate to authenticate to a secure Web page 2.3 User your certificate to send and recieve secure email. 2.4 Install the certificate in your UNIX home directory. 2.5 Other sources for certificate manipulation instructions

How to get a Grid Certificate

The certificate is issued by DOEGrids and it is personal. MARIACHI is associated to the Open Science Grid. To apply for a certificate we have written the instructions below. The whole process, from application to have the certificate, takes 2-3 business days.

The application process and how to use the certificate will depend on the browser you are using and the operating system. The application process does not work if you are using Apple SAFARI, please use Firefox.

Step 1. Apply for a certificate.

You should do this from the computer, operating system, user account, and web browser that you typically use on a day to day basis for personal work. When you make your request, there will be information saved within your web browser (the private encryption key) that will be needed later.

• Follow the instructions at http://www.doegrids.org/pages/How-To-Import.html to add DOEgrids to your trusted authorities.
• Go to http://pki1.doegrids.org/. Click on "New User" on the sidebar.
• Fill in the requested information.
• For "affiliation" choose OSG. For VO Name in OSG, choose Mariachi.
• For email you must use an institutional email address. This means it must end with a .edu or .gov. Gmail, hotmail, etc. addresses will not suffice.
• For your sponsor, fill in the information with the name and contact information for Helio Takai (takai@bnl.gov, tel: 631-344-2812).
• A challenge phrase is optional. It only comes into play when you need to renew your certificate. If you use one, make a record of what it is.
• Use a 2048 bit key length.

Step 2. Retrieve your certificate.

You will receive an e-mail saying that your request has been processed successfully.

• Open the link in the e-mail with the same browser that you used to make the request. Depending on your browser, you should see buttons at the bottom of the page labelled "Import Your Certificate' and/or 'Import S/MIME Certificate'.

• Click on whatever buttons are there. Your web browser now has a complete certificate stored in it, i.e. it has a private key generated when you made the original request, and a public key signed by the DOEGrids Certificate Authority.

Step 3. Export the certificate.

In order to use your certificate (and key) for other purposes (in other web browsers, e-mail clients, and to submit grid batch jobs) you need to export your certificate from your web browser. How to do this depends on your browser.

• For Firefox 1.5 (on Linux) go to Edit | Preferences | Advanced | Security | View Certificates | Your Certificates.
• For Mozilla 1.7 (on Linux) go to Edit | Preferences | Privacy & Security | Certificates | Manage Certificates | Your Certificates
• For Internet Explorer 6.0 (on Windows XP) go to Tools | Internet Options | Content | Certificates | Personal

Select your certificate (the one with your name, if there are more than one) and click 'Export' or 'Backup'. Choose a filename to save to. On Windows/Internet Explorer it will be a .pfx file, while for Mozilla/Firefox it will be a .p12 file. Back up this file someplace safe, and if the computer you are using to do this is used by others, remove the copy of the file. Apply a good password to the backup when you are given the option and be sure to remember it. You should also be sure to use a password mechanism on the web browser's certificate storage, if your browser gives you that option.

If you have another Operation System/Version + Browser/Version combination and have gotten this process to work successfully, please forward instructions to jhover@bnl.gov

How to use your Grid Certificate

Trust ESnet and DOEgrids Certificate Authorities

A first step to doing anything on the internet with your DOEgrids personal certificate is to ensure that whatever application you are using *trusts* the CA (Certificate Authority) that we are using. This is necessary because the major web browsers (Internet Explorer, Firefox, Safari, Opera) and e-mail clients (Outlook, Thunderbird, iMail)

To do this he should navigate to http://pki1.doegrids.org/ and...

• Go to "Retrieval" tab.
• Select "Import CA Certificate Chain" on left sidebar.
• Select "Import the CA certificate chain into your browser".
• Hit "Submit" button.
• For Firefox Check boxes in dialog to trust this CA chain for web sites, e-mail, and software developers.

Then, also...

• Select "Download the CA certificate chain in binary form."
• Save the file somewhere, adding the extension ".pem" to it if necessary.

This file can then be used for other applications.

Use your certificate to authenticate to a secure Web page

• First follow the instructions above for trusting the ESnet and DOEgrids CAs.
• Be sure that your personal certificate is also loaded into your browser.

User your certificate to send and recieve secure email.

• First download the ESnet/DOEgrids certificate chain as described above in "Trust ESNet and DOEgrids Certificate Authorities".

• For Thunderbird 1.5 on Linux.
  • Go to Edit | Preferences | Privacy | Security (tab) | "View Certificates" | Authorities (tab) | Import
  • Select and open file you downloaded previously.
  • Check boxes in dialog to trust this CA chain for web sites, e-mail, and software developers.
  • Go to Edit | Account Settings and open the "Security" page for each account.
  • For "Digital Signing" and "Encryption" select your personal certificate and activate the checkbox saying to use it to sign and encrypt messages.

Install the certificate in your UNIX home directory.

In order to submit grid batch jobs and use grid software (like gridftp) you will need to be able to create a _grid proxy_ using the grid-proxy-init or voms-proxy-init commmands. In order to use these, your certificate must be made available to them in the proper format. So you must convert the single .p12 or .pfx files to a *pair* of files (the certificate and key), both in .pem format. Create a .globus directory in your home directory. Copy your certificate to your home directory wherever you will run the proxy commands, and perform the conversion:

    openssl pkcs12 -in your-cert-file -clcerts -nokeys -out $HOME/.globus/usercert.pem

and

    openssl pkcs12 -in your-cert-file -nocerts -out $HOME/.globus/userkey.pem

where your-cert-file is the path to your exported certificate. Note that the output files go in the .globus directory within your home directory. The userkey.pem file must only be readable and writable by you, not a group or everyone. Otherwise the proxy commands will refuse to run.

For instructions on using the grid commands, go to HowToGridTools.

Other sources for certificate manipulation instructions

Fermilab has posted detailed instruction on how to apply for Grid Certificates and How to use them. In particular there are good instructions for MAC users.

1. How to get a personal certificate: http://security.fnal.gov/pki/Get-Personal-DOEGrids-Cert.html
2. How to export/import and deal with MACs: http://security.fnal.gov/pki/Export-Personal-Cert.html

and here's some other resources

1. DOEGrids instructions for doing this (from which these instructions are derived) are available http://www.doegrids.org/pages/cert-request.html.
2. Other instructions for doing this are available at http://www.grid-support.ac.uk/content/view/67/42/.