Personal certificates from CERN

A personal certificate consists of a pair of files: the private key (userkey.pem); and the certificate itself, containing the public key (usercert.pem). To obtain a certificate, a request has to be made to a Certification Authority recognized by WLCG.

How to get a personal certificate from CERN

The screenshots included below are out of date, but the current (2016) CERN pages https://ca.cern.ch/ca are reasonably self-explanatory. If you have problems in obtaining a personal certificate from CERN CA, you should contact CERN help desk (http://information-technology.web.cern.ch/help), not CMS. They will have up-to-date help instructions for you. This twiki may also be of assistance: https://twiki.cern.ch/twiki/bin/view/CMSPublic/WorkBookStartingGrid#BasicGrid

These points may help with the procedure, so please read through them first:

• If you have existing personal certificates ~/.globus/usercert.pem and ~/.globus/userkey.pem , then you may want to rename those files first.
• To get info about your *.pem files , try a command like this (for example my old DOEGrids cert):

  nunllap01  5% openssl x509 -in ~/.globus/usercert.pem -subject -issuer -dates -noout
  subject= /DC=org/DC=doegrids/OU=People/CN=Robert Snihur 365033
  issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
  notBefore=Feb 22 19:20:18 2012 GMT
  notAfter=Feb 21 19:20:18 2013 GMT
  

• When you use the openssl command to create the ~/.globus/usercert.pem file, it will ask for the "Import Password" ; this is the "Backup password" you chose in the previous step. When you use the openssl command to create the ~/.globus/userkey.pem file, it will ask for the "Import Password" again, and it will also ask you to choose a "PEM pass phrase". The "PEM pass phrase" will need to be typed in every time you issue the grid-proxy-init or voms-proxy-init commands.
  

Instructions

1. The preferred browser is Firefox (Mozilla); point it to https://ca.cern.ch/ca/ . Click on "New User Certificate". screenshot
   
2. The next page requires you to sign in with your CERN account, if you have not yet done so. screenshot
   
3. On the next page, the Certification Authority requires Identity Verification by entering your account password and birth date, then click "Next". screenshot
4. The resulting page may ask you to verify that your browser has the CERN Root Certificate installed. To verify this, see the middle part of the instructions at https://ca.cern.ch/ca/Help/?kbid=040110
   If the Root certificate is not installed, please click on "install" and follow the instructions.
   Otherwise, choose the default Key Strength (High Grade), then click on "Submit". A small window will appear saying something like "Key generation in progress". screenshot
5. The next page should show "Your new certificate is ready". Click on "Download this certificate".
   A small alert window will appear saying "Your personal certificate has been installed. You should keep a backup copy of this certificate." Click "OK". screenshot
   
6. Verify that your new CERN personal certificate is installed in your browser, by following the first part of the instructions (before the "Backup" step) at
   https://ca.cern.ch/ca/Help/?kbid=040111 I see it under "Your certificates":
   Certificate Name = CERN Trusted Certification Authority Robert Snihur
   Security Device = Software Security Device
   Serial Number = xxxx
   Expires on = 08/22/2013
7. Follow the instructions for how to use your certificate with grid-proxy-init. This procedure will also create a backup, requiring you to choose a backup password. https://ca.cern.ch/ca/Help/?kbid=024010
   

-- RobSnihur - 25-Oct-2012