Using a group certificate can be extremely useful in situations where different people use the same login and machine to perform there tasks. A common use for this is the shifters in the control rooms, where different people use the same machines and, usually, need to sign in in different services.

Group certificates can then overtake the need for shifters to use their own credentials to login with the SSO to have access to TWiki pages, for exameple. This informations on this page are based on my experience of asking and configuring the Trigger machines on the CMS control room, at P5, to use a certificate. This way, shifters are not longer asked for their credentials in most of the situations.

Requesting the certificate

Requesting a certificate can be somehow tricky. In fact, it's a not very common task and sometimes system administrators are very familiar with the steps involved.

• as the certificate should not be connected to anyone in particular, a Service Provider account should be requested. Whether you, or your group administrator, can connect to https://cra.cern.ch/ in order to do that.
• following the creation of the Service Provider and it's associated account, you should also create an E-Group to where the all the e-mails will be redirected so that contact with the team responsible for the certificate is possible.
• The last step is the certificate request itself. Point your browser to https://ca.cern.ch/ca/Certificates/certrequestff.aspx web page, and fill in the necessary boxes. Your browser will then take a couple of seconds to generate a key
• Click on the link that follows to install the certificate and that's it!

For more details, please contact the helpdesk@cern.ch

Installing the certificate on different machines

If you followed the previous steps, your browser already has the certificate installed, and that should be OK for the general case. However, if you are planning to install the same certificate on different machines, you still need a few extra steps; the strategy is to backup the certificate from the machine where it's already installed, and import it on other machines

• From the machine where you have the certificate installed, open Firefox, and choose "Preferences", from the "Edit" Menu.
• After selecting the certificate you want to backup, from the "Your Certificates" list, click on Backup. You will then be asked to select a location for the backup, and a password, in order to be able to restore it.
• On the machines you wish to install the certificate, you need to do the inverse now: from "Preferences" choose "Import" and select the proper location for the certificate.
• On the Preferences Menu, make sure that the option to automatically select a certificate is checked
• After being requested to install the security password, the certificate will then be installed.
• Do the same for the rest of the machines where you want to install it.

In order to make the authentication completely transparent to the users, thick the "Enable Automatic Logon" box before clicking on "Login using your certificate".