r14 - 09 Feb 2007 - 15:53:45 - TorreWenausYou are here: TWiki >  AtlasSoftware Web > CertificateScripts

How to get a grid certificate using Linux commands (scripts)

Requesting a certificate

  • Log on to acas at the BNL Tier 1: ssh -t atlasgw.bnl.gov rterm -i acas+
    • Or if you don't have a BNL account but your site has a recent installation of VDT, you should be able to find the scripts locally as described here?
    • Or if you don't have a BNL account or a VDT installation, but have AFS installed, the procedure below should work from any site (tested with lxplus @ CERN) as long as you have a local AFS token
    • If none of the above works for you, you can pick up the scripts and install yourself. The latest version of the scripts is posted at OSG:Security/CertScriptsPackage? . It is available either as a tarball or via the VDT pacman cache: to get it from the VDT 1.3.11 cache use pacman -get http://vdt.cs.wisc.edu/vdt_1311_cache:PPDG-Cert-Scripts. With either tar or pacman, current directory should be $VDT_LOCATION for the installation.
  • source /afs/usatlas.bnl.gov/Grid/vdt/current/setup.sh
    • This will add the cert scripts to your path. They are in /afs/usatlas.bnl.gov/Grid/vdt/current/cert-scripts/bin/
  • Use the cert-request command to request a certificate. All certificate management scripts are described here?
    • It will ask you to enter a 'PEM passphrase'. This just means pick a password for your certificate and enter it
    • Specify OSG as your registration authority. As the contact specify your supervisor or someone in computing management who knows you (Torre, Srini, Hong, Jim, Razvan, ...)
    • For your virtual organization affiliation specify usatlas.
    • Note down your certificate request ID
  • If you do not get an email response within two days, open a ticket by sending an email describing the problem, including your request ID in the subject, to:
         and CC 
  • When you get an email saying your certificate is approved, with instructions on how to retrieve it using a browser, ignore the instructions
    • Instead, use the cert-retrieve command, it will retrieve and install the certificate
  • Now that you have your certificate, proceed to the instructions for setting up your environment and joining the ATLAS VO.

Renewing a certificate

If you are renewing a certificate, use the cert-renew script. For renewal there is no approval step that takes days; the renewed certificate will be generated on the spot.

Loading your certificate in a web browser

If you want to load your certificate into your browser then you will need to convert your certificate from the PEM format it was created with to the PKCS12 format that is accepted by web browsers. (Thanks to Sergey Panitkin for these instructions.) You will need to do this because the procedure to join the ATLAS VO is browser-based and requires that your certificate be in the browser.

In order to convert certificates to PKCS12 format use this command:

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercert.p12 -name "Some friendly name for your certificate here"

You will be prompted for userkey.pem's password (that's your "main grid certificate password") and then for a new password for the new pk12 file; you can use the same password as before if you like. That second password will be asked by the web browser during pk12 certificate import procedure.

It's recommended to change access privileges for the new pk12 certificate file to "read/write only by owner".

Both Firefox and Internet Explorer accepted certificates created in this way.

-- TorreWenaus - 2 Oct 2006
-- TorreWenaus - 10 Jul 2006

About This Site

Please note that this site is a content mirror of the BNL US ATLAS TWiki. To edit the content of this page, click the Edit this page button at the top of the page and log in with your US ATLAS computing account name and password.


Attachments

 
Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback