[Go to /]

DCA Root Service
DCA Root CA G1

Trusted Certificate Service TCS
Request your instant cert now
Guide and tools

Production CA (MS)
Manage Your Certificates
  (for non-TCS users)

Find a local registrar

Classic interface
Help with your request
Host certificate requests
Submit your request
Download your certificate
Renew your certificate
Request revocation

Reliance information
Policy Statement
Reliance Information

NL e-Infra Zero
(training services)

Legacy Cert Request Guide
Change a passphrase
RA OpsGuide
OpenSSL for Windows
eToken Guide


Privacy Policy

Browser Import Walkthrough


General Steps

First, go to the directory that contains your matching pair of usercert.pem and userkey.pem files. The key file has been generated by the makerequest script before your application; the cert file is your certificate, which got mailed to you afterwards, and which you can retrieve from the web pages at any time.

You can convert your Globus cert to a Netscape-readable PKCS#12 structure with the following openssl command:

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem \
-out your-new-packed-cert.p12
followed by
chmod 0600 your-new-packed-cert.p12

as shown below. You will have to type three passphrases:
  1. to decrypt your private key that is stored in the PEM file
  2. to re-encrypt your private data in the PKCS#12 file (export password).
    If you leave this passphrase empty, in any way, your certificate will be revoked as soon as possible! Having a strong export passphrase (e.g. the same as your original 12-character pass phrase) is essential to the security of your certificate.
  3. and again the same export password to make sure you did not make any typing mistakes
And before you continue any further, ensure that the restrictive permissions on the P12 file are set, even though the private key is encrypted:
chmod 0600 your-new-packed-cert.p12
Note that you may have to copy this file to a place where you can see it from your browser.

Export your key pair using the openssl pkcs12 commands with the -export option

Firefox and Netscape

Open your browser window. If you are using Firefox or other NSS based browsers, go to the "Tools" meny and select "Options".
Select Options from the Tools menu in Firefox-like browsers

In the Options dialog, select the "Advanced" section and click on the "View Certificates" button in the "Security" tab. Then, click on the "View Certificates" button.
Click the View Certificates button

In the Certificate Manager, which now opens in a new window, you can click on the "Import" button to import your key and certificate in PKCS#12 format into your browser. If you use the certificate manager for the first time, you will have to initialise this "software security device" by providing a strong passphrase (twice, to prevent typo's). A quality meter will show you how good the passphrase actually is. Never leave this password empty.
Click Import

Internet Explorer

For MS Internet Explorer 5 and higher, also select "Internet Options" from the "tools" menu. In the Internet Options dialog, go to the "Content" tab and click on the Certificates button.
Click the Certificates button

In the Certificates window, click on the Import button to start the certificate import wizard.
Click Import to start the wizard

The wizard will ask you for a filename (you need the Personal Information Exchange format, with the pfx or p12 extensions). Select the file and click "Next" to give the decryption passprase for your PKCS#12 file (which you entered in step 2).

Important: you must check the "Enable strong private key protection" box, or everyone who happens to sneak behind your PC can use the grid under your name without even having to guess a password. If you leave the box unchecked, you have severely compromised your credential.

You may mark the key as exportable.

Enable strong private key protection

The certificate should but put in the "Personal" certificate store, but usually the import wizard will make the correct decision. Just click "Next" to continue, and then "Finish" to complete the process.