How to get a certificate at CERN

'''Only For CERN Users'''

 

General

 

  • These lines follow the normal procedure for applying and getting a new GRID certificate.
  • The instructions given here are meant for people getting the certificate fromthe CERN's certificate authority. For other sources, please contact your national authority.
  • All the steps were done using Mozilla - I imagine having no essential difference if you use Internet Explorer.

 

 

The 4 basic steps

You need to follow the 5 basic steps listed here 

Only when you completed successfully all 5 steps, you will be able to authenticate yourself to AliEn using your certificate.

 

Step 1

 

After clicking on the link you will be redirected to an EDMS page.

Read the document linked on this page.

 

Step 2

 

  • The CERN certification authority is accessbile at  https://ca.cern.ch/ca
  • Select the link on your left:
  • Request user certificate using Mozilla browser (or Internet Explorer)
  • Even if you used to have a certificate and you just need to renew it, you must get a new one.
  • Provide your nice account and follow the web instructions.
  • After completing everything you will have you certificate in your window:
  • Click "Install certificate" to install it in your browser.
  • The next thing you have to do is to export your new certificate. Staying in your mozilla browser (it can be applied for Internet Explorer as well) do the following:
  • In the main menu click Edit->Preferences->Privacy & Security
  • Click "Certificates"
  • From the list of certificates select the certificate you want to extract and click "Backup"
  • Choose the folder you want to store it ($HOME/.globus), Enter a file name ending with a .p12 extension and click "Save": e.g myCert.p12
  • Choose a certificate backup password and click "Ok"
  • Having the certificate in a p12 format we need to convert it into a PEM Keypair (we assume that the machine you extracted your certificate is the one that you will run the GRID software)[https://ca.cern.ch/ca/Help/?kbid=023010 (conversion)]:
    • openssl pkcs12 -clcerts -nokeys -in myCert.p12 -out usercert.pem
    • openssl pkcs12 -nocerts -in myCert.p12 -out userkey.pem
    • chmod 400 userkey.pem
  • Open a terminal and go to the directory where you stored the p12 file.
  • For the creation of the certificate type: '''openssl pkcs12 -in myCert.p12 -clcerts -nokeys -out usercert.pem'''
  • For the creation of the encrypted private key type: '''openssl pkcs12 -in myCert.p12 -nocerts -out userkey.pem'''
  • You must set the mode on your userkey.pem file to read only by the owner: '''chmod 400 userkey.pem'''.

 

Step 3

  • If you followed the previous slides, the certificate should have already beenloaded on your browser.

Step 4

 

You are here