Use the GEANT Trusted Certificate Service TCS
The legacy DutchGrid CA is a 'classic' CA which itself needs to verify
your identity and make sure that you actually are who you say you are. This
process is not instantaneous: it takes up to two days to complete, and
requires you to visit one of our Registration Authorities in-person.
Fortunately, there is a far easier and quicker way to get a certificate
suitable for use on the Grid: the GEANT Trusted Certificate Service TCS,
provided to all Dutch research and academic institutions
through SURFnet, the Dutch Research and Educational Network via the existing connection between your own institution
The GEANT TCS is operated by DigiCert Inc., which offers a wider range of certificate types, including "Robot" machine-to-machine certificates. Everyone who previously had access only to regular personal certificates, can as of now also get Grid & Authentication certificates
via the same portal.
No access to the TCS service?
- Test first by going to www.digicert.com/sso and type (part of) the name of your institution
- No luck finding your organsiation? Ask your institute help desk to request "that the AAI responsible person or SURFnet ICP requests a connection be made to DigiCert in the SURFcontext dashboard and to permit inclusion of the IdP in eduGAIN"
- You find your institution but cannot log in (it complains about missing attributes) but you are an employee? Ask your institute helpdesk to request "that the eduPersonEntitlement to access the TCS, namely urn:mace:terena.org:tcs:personal-user, is set by default for all employees, since they are eligible anyway because the organization keeps a copy of a photo-ID to fulfil the requirements of the 'Wet op de Loonbelasting'"
- Still getting stuck and does your institution need help? Tell them to contact the SURFnet product manager for TCS.
You can contact your own organisation by mail at email@example.com
Putting your browser-based eScience certificate into a file
By default, your certificate (and your private key) are located in your
browser. You can use this instantly with all web-based services, such
as administrative interfaces, VO registration, etc.
For use with grid job submission, you should export these to local files on
disk, names "usercert.pem" and "userkey.pem", in the following way:
- Open the certificate store of your browser or operating system.
In Mozilla Firefox 3 (the example shown below), this is located under
"Tools", then "Options", "Advanced", and click on "View certificates".
In Internet Explorer, go to "Options", "Internte Settings", "Content",
and there click "Certificates".
- Click "backup your certificate", and also selet "save private key" when
asked for. Store the file (it will be called something.p12, since
the file format is called PKCS#12), and remember where you wrote it!
- Start jGridstart and import your
certificate from the PKCS#12 ".p12" file. It is now ready for grid use.
Alternatively, convert the "p12" file to a user cert and user key
file using the command-line tools:
openssl pkcs12 -nocerts -in cert.p12 -out $HOME/.globus/userkey.pem
openssl pkcs12 -clcerts -nokeys -in cert.p12 -out $HOME/.globus/usercert.pem
chmod 0600 $HOME/.globus/userkey.pem
chmod 0644 $HOME/.globus/usercert.pem
and don't forget the last step (the permissions bit) or you will see
- Go to the registration page of your user community and join a
VO, a 'virtual organisation'. A list of
frequently used VOs and how to join them is provided by
Using CSR request files with the TERENA eScience CA
Many grid tools (job submission, file management) use a file-based certificate,
typically called "usercert.pem" and "userkey.pem" in a ".globus" subdirectory
of your home folder. You can use the TCS eScience CA easily with this
kind of set-up, by submissing the corresponding "userrequest.pem" file
as a "Certificate Signing Request" (CSR) into the TCS portal.
To generate the certificate request files on a Unix or Linux system (or on
Windows with the Cygwin tools):
openssl req -subj "/CN=Pietje Puk 42" -out $HOME/.globus/userrequest.pem -keyout $HOME/.globus/userkey.pem -new
and then go to the eScience
portal, login and select "Upload CSR" instead
of browser generation. Submit the "userrequest.pem" file and wait for your
certificate to be issued.
In the list of Available Certificates (use the "My Certificates" link on the
left-hand menu), click "Download certificate" and save the file as $HOME/.globus/usercert.pem. You're now done!
If you want to import a usercert and userkey file combination into your
browser, you can use the jGridstart certificate management tool,
or look at the documentation for
installation by hand.