Personal certificates from CERN

A personal certificate consists of a pair of files: the private key (userkey.pem); and the certificate itself, containing the public key (usercert.pem). To obtain a certificate, a request has to be made to a Certification Authority recognized by WLCG.

How to get a personal certificate from CERN

The screenshots included below are out of date, but the current (2016) CERN pages are reasonably self-explanatory. If you have problems in obtaining a personal certificate from CERN CA, you should contact CERN help desk (, not CMS. They will have up-to-date help instructions for you. This twiki may also be of assistance:

These points may help with the procedure, so please read through them first:

  • If you have existing personal certificates ~/.globus/usercert.pem and ~/.globus/userkey.pem , then you may want to rename those files first.
  • To get info about your *.pem files , try a command like this (for example my old DOEGrids cert):
    nunllap01  5% openssl x509 -in ~/.globus/usercert.pem -subject -issuer -dates -noout
    subject= /DC=org/DC=doegrids/OU=People/CN=Robert Snihur 365033
    issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
    notBefore=Feb 22 19:20:18 2012 GMT
    notAfter=Feb 21 19:20:18 2013 GMT
  • When you use the openssl command to create the ~/.globus/usercert.pem file, it will ask for the "Import Password" ; this is the "Backup password" you chose in the previous step. When you use the openssl command to create the ~/.globus/userkey.pem file, it will ask for the "Import Password" again, and it will also ask you to choose a "PEM pass phrase". The "PEM pass phrase" will need to be typed in every time you issue the grid-proxy-init or voms-proxy-init commands.


  1. The preferred browser is Firefox (Mozilla); point it to . Click on "New User Certificate". screenshot
  2. The next page requires you to sign in with your CERN account, if you have not yet done so. screenshot
  3. On the next page, the Certification Authority requires Identity Verification by entering your account password and birth date, then click "Next". screenshot
  4. The resulting page may ask you to verify that your browser has the CERN Root Certificate installed. To verify this, see the middle part of the instructions at
    If the Root certificate is not installed, please click on "install" and follow the instructions.
    Otherwise, choose the default Key Strength (High Grade), then click on "Submit". A small window will appear saying something like "Key generation in progress". screenshot
  5. The next page should show "Your new certificate is ready". Click on "Download this certificate".
    A small alert window will appear saying "Your personal certificate has been installed. You should keep a backup copy of this certificate." Click "OK". screenshot
  6. Verify that your new CERN personal certificate is installed in your browser, by following the first part of the instructions (before the "Backup" step) at I see it under "Your certificates":
    Certificate Name = CERN Trusted Certification Authority Robert Snihur
    Security Device = Software Security Device
    Serial Number = xxxx
    Expires on = 08/22/2013
  7. Follow the instructions for how to use your certificate with grid-proxy-init. This procedure will also create a backup, requiring you to choose a backup password.

-- RobSnihur - 25-Oct-2012

Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng Screenshot-CERN_Authentication_v2.png r1 manage 58.4 K 2012-11-16 - 00:00 RobSnihur Screenshot-CERN_Authentication_v2
PNGpng Screenshot-CERN_Certification_Authority.png r1 manage 195.8 K 2012-11-16 - 00:01 RobSnihur CERN_Certification_Authority
PNGpng Screenshot-CERN_Certification_Authority_Certificate_Issued.png r1 manage 127.5 K 2012-11-16 - 00:02 RobSnihur CERN_Certification_Authority_Certificate_Issued
PNGpng Screenshot-CERN_Certification_Authority_Certificate_Request.png r1 manage 137.2 K 2012-11-16 - 00:04 RobSnihur CERN_Certification_Authority_Certificate_Request
PNGpng Screenshot-CERN_Certification_Authority_Identity_Verification.png r1 manage 127.3 K 2012-11-16 - 00:07 RobSnihur CERN_Certification_Authority_Identity_Verification
PNGpng Screenshot-CERN_User_Certificate_Installation.png r1 manage 123.0 K 2012-12-21 - 18:19 RobSnihur CERN_User_Certificate_Installation
PNGpng Screenshot-VOMRS_Phase_II_submitted.png r1 manage 100.9 K 2012-11-16 - 00:08 RobSnihur VOMRS_Phase_II_submitted
PNGpng Screenshot-VOMRS_Registration_Phase_I.png r1 manage 88.7 K 2012-11-16 - 00:09 RobSnihur VOMRS_Registration_Phase_I
PNGpng Screenshot-VOMRS_Registration_Phase_II.png r1 manage 114.1 K 2012-11-16 - 00:09 RobSnihur VOMRS_Registration_Phase_II
PNGpng Screenshot-VOMRS_Welcome.png r1 manage 134.1 K 2012-11-16 - 00:10 RobSnihur VOMRS_Welcome
PNGpng Screenshot_VOMRS-Phase_I_submitted.png r1 manage 66.6 K 2012-11-16 - 00:11 RobSnihur VOMRS-Phase_I_submitted
Edit | Attach | Watch | Print version | History: r16 < r15 < r14 < r13 < r12 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r16 - 2017-08-01 - StevenWasserbaech
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    CMSPublic All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback