Browser Import Walkthrough

Contents:

Command-line steps: convert to PKCS#12
Firefox and Netscape browsers
Internet Explorer

General Steps

First, go to the directory that contains your matching pair of usercert.pem and userkey.pem files. The key file has been generated by the makerequest script before your application; the cert file is your certificate, which got mailed to you afterwards, and which you can retrieve from the web pages at any time.

You can convert your Globus cert to a Netscape-readable PKCS#12 structure with the following openssl command:

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem \
-out your-new-packed-cert.p12

followed by

chmod 0600 your-new-packed-cert.p12

as shown below. You will have to type three passphrases:

to decrypt your private key that is stored in the PEM file
to re-encrypt your private data in the PKCS#12 file (export password).
If you leave this passphrase empty, in any way, your certificate will be revoked as soon as possible! Having a strong export passphrase (e.g. the same as your original 12-character pass phrase) is essential to the security of your certificate.
and again the same export password to make sure you did not make any typing mistakes

And before you continue any further, ensure that the restrictive permissions on the P12 file are set, even though the private key is encrypted:

chmod 0600 your-new-packed-cert.p12

Note that you may have to copy this file to a place where you can see it from your browser.

Export your key pair using the openssl pkcs12 commands with the -export option

Firefox and Netscape

Open your browser window. If you are using Firefox or other NSS based browsers, go to the "Tools" meny and select "Options".

Select Options from the Tools menu in Firefox-like browsers

In the Options dialog, select the "Advanced" section and click on the "View Certificates" button in the "Security" tab. Then, click on the "View Certificates" button.

In the Certificate Manager, which now opens in a new window, you can click on the "Import" button to import your key and certificate in PKCS#12 format into your browser. If you use the certificate manager for the first time, you will have to initialise this "software security device" by providing a strong passphrase (twice, to prevent typo's). A quality meter will show you how good the passphrase actually is. Never leave this password empty.

Internet Explorer

For MS Internet Explorer 5 and higher, also select "Internet Options" from the "tools" menu. In the Internet Options dialog, go to the "Content" tab and click on the Certificates button.

In the Certificates window, click on the Import button to start the certificate import wizard.

The wizard will ask you for a filename (you need the Personal Information Exchange format, with the pfx or p12 extensions). Select the file and click "Next" to give the decryption passprase for your PKCS#12 file (which you entered in step 2).

Important: you must check the "Enable strong private key protection" box, or everyone who happens to sneak behind your PC can use the grid under your name without even having to guess a password. If you leave the box unchecked, you have severely compromised your credential.

You may mark the key as exportable.

The certificate should but put in the "Personal" certificate store, but usually the import wizard will make the correct decision. Just click "Next" to continue, and then "Finish" to complete the process.