SNIC Documentation - User contributions [en]

Support

2025-02-27T12:16:07Z

Kent Engström (NSC): SUPR support form can also be used by non-logged in users.

Support alternatives:

; Guides
: This site has a number of guides on a variety of subjects, see [[:Category:Guide]].

; Centre, Swestore and SUPR support
: Go to [http://supr.naiss.se/support http://supr.naiss.se/support]. The support form there helps you fill in a good support request. This is by far the quickest way of getting your problems solved, and this is where you should address all your support questions. In case an issue cannot be immediately solved by these support queues it will be forwarded to the right place for you.

; Interactive support sessions
: The [[Zoom-in|SNIC zoom-in]] is a virtual meeting room in which you can discuss the services offered by the SNIC centres and how they can be used for your computational needs, help you process your data and visualise your results.

; Application support
: e-mail: [mailto:application-support@naiss.se application-support@naiss.se] 
: This mail address can be used if you have support questions that are not directly regarding how to run a given application on a specific SNIC HPC resource, but regarding how to use the application itself or how to solve an issue with the application that is not specific to running it on a certain resource. 
: The application-support queue is monitored by all the application experts, who are distributed over all the six SNIC HPC centers, so there is a good chance that someone who knows the given application will see the support request and help answer your questions or solve your issue. 
: If you don’t know whether or not to use the application-support address for your support request, then just send your request to the support address at the HPC center where you run your jobs. Then someone monitoring that support queue will in turn move your support request to the application-support queue if they find that your request is better handled there.

Support

2024-04-09T09:21:26Z

Kent Engström (NSC): Fix snic.se -> naiss.se, leave other SNIC references untouched

Support alternatives:

; Guides
: This site has a number of guides on a variety of subjects, see [[:Category:Guide]].

; Centre, Swestore and SUPR support
: Go to [http://supr.naiss.se/support http://supr.naiss.se/support]. If you can login to SUPR you can use a support form that helps you fill in a good support request. If you cannot login you will get a list of email addresses to use for your support request.
: This is by far the quickest way of getting your problems solved, and this is where you should address all your support questions. In case an issue cannot be immediately solved by these support queues it will be forwarded to the right place for you.

; Interactive support sessions
: The [[Zoom-in|SNIC zoom-in]] is a virtual meeting room in which you can discuss the services offered by the SNIC centres and how they can be used for your computational needs, help you process your data and visualise your results.

; Application support
: e-mail: [mailto:application-support@naiss.se application-support@naiss.se] 
: This mail address can be used if you have support questions that are not directly regarding how to run a given application on a specific SNIC HPC resource, but regarding how to use the application itself or how to solve an issue with the application that is not specific to running it on a certain resource. 
: The application-support queue is monitored by all the application experts, who are distributed over all the six SNIC HPC centers, so there is a good chance that someone who knows the given application will see the support request and help answer your questions or solve your issue. 
: If you don’t know whether or not to use the application-support address for your support request, then just send your request to the support address at the HPC center where you run your jobs. Then someone monitoring that support queue will in turn move your support request to the application-support queue if they find that your request is better handled there.

Requesting a grid certificate using the Sectigo SSO Portal

2023-02-15T13:02:55Z

Kent Engström (NSC): Removed redirect to Swestore Documentation Moved

This page has been moved to the [https://docs.swestore.se/access/certificates/sectigo Swestore documentation].

Requesting a grid certificate using the Sectigo SSO Portal

2022-05-02T11:38:09Z

Kent Engström (NSC): /* Hitting the maximum number of valid certs */

== Preparations ==

Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:
* Your organization must be set up to allow this (see [[#Organization Support]] below)
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.

== Requesting a certificate ==

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.

A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

=== Requesting a certificate with server-side generation of key ===

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Term 395 days (should be the only option)
* Select Enrollment Method = Key Generation
* Select Key Type with approproate number of bits
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

=== Requesting a certificate using a locally generated key and CSR ===

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Term 395 days (should be the only option)
* Select Enrollment Method = CSR
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

=== Hitting the maximum number of valid certs ===

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

''2022-05-02 Very are rather sure that the behaviour for some time now has instead been to automatically revoke older certificates to keep the window to two certificates (the most recent ones) per certificate profile.''

== Using the certificate ==

=== Using the certificate in the web browser ===

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

=== Using the certificate with grid tools ===

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

== Revoking a certificate ==

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

== Appendix ==
=== Organization Support ===

The TCS service has changed backend provider from DigiCert to Sectigo.

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)

Failed verification

* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)

Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.

Requesting a grid certificate using the Sectigo SSO Portal

2021-09-22T07:28:18Z

Kent Engström (NSC):

== Preparations ==

Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:
* Your organization must be set up to allow this (see [[#Organization Support]] below)
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.

== Requesting a certificate ==

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.

A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

=== Requesting a certificate with server-side generation of key ===

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Term 395 days (should be the only option)
* Select Enrollment Method = Key Generation
* Select Key Type with approproate number of bits
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

=== Requesting a certificate using a locally generated key and CSR ===

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Term 395 days (should be the only option)
* Select Enrollment Method = CSR
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

=== Hitting the maximum number of valid certs ===

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

== Using the certificate ==

=== Using the certificate in the web browser ===

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

=== Using the certificate with grid tools ===

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

== Revoking a certificate ==

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

== Appendix ==
=== Organization Support ===

The TCS service has changed backend provider from DigiCert to Sectigo.

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)

Failed verification

* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)

Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.

Requesting a grid certificate using the Sectigo SSO Portal

2021-06-09T15:28:20Z

Kent Engström (NSC): /* Requesting a certificate using a locally generated key and CSR */

== Preparations ==

Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:
* Your organization must be set up to allow this (see [[#Organization Support]] below)
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.

== Requesting a certificate ==

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.

A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

=== Requesting a certificate with server-side generation of key ===

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Term 395 days (should be the only option)
* Select Enrollment Method = Key Generation
* Select Key Type with approproate number of bits
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

=== Requesting a certificate using a locally generated key and CSR ===

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Term 295 days (should be the only option)
* Select Enrollment Method = CSR
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

=== Hitting the maximum number of valid certs ===

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

== Using the certificate ==

=== Using the certificate in the web browser ===

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

=== Using the certificate with grid tools ===

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

== Revoking a certificate ==

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

== Appendix ==
=== Organization Support ===

The TCS service has changed backend provider from DigiCert to Sectigo.

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)

Failed verification

* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)

Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.

Requesting a grid certificate using the Sectigo SSO Portal

2021-06-09T15:27:14Z

Kent Engström (NSC): /* Requesting a certificate with server-side generation of key */

== Preparations ==

Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:
* Your organization must be set up to allow this (see [[#Organization Support]] below)
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.

== Requesting a certificate ==

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.

A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

=== Requesting a certificate with server-side generation of key ===

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Term 395 days (should be the only option)
* Select Enrollment Method = Key Generation
* Select Key Type with approproate number of bits
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

=== Requesting a certificate using a locally generated key and CSR ===

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

=== Hitting the maximum number of valid certs ===

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

== Using the certificate ==

=== Using the certificate in the web browser ===

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

=== Using the certificate with grid tools ===

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

== Revoking a certificate ==

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

== Appendix ==
=== Organization Support ===

The TCS service has changed backend provider from DigiCert to Sectigo.

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)

Failed verification

* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)

Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-28T15:01:24Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal and they are welcome to contact tcs@sunet.se to get help with the setup.

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get at this point.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

== Hitting the maximum number of valid certs ==

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-28T14:59:30Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers (verified OK 2020-04-27 by Mathias L at C3SE)
* KTH (verified OK 2020-04-28 by Lilit A at PDC)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get at this point.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

== Hitting the maximum number of valid certs ==

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Digicert SSO Portal

2020-04-28T14:58:06Z

Kent Engström (NSC):

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]

[[Grid_certificates#Requesting a certificate|< Grid certificates]]

= Switching to a new provider =

On 2020-05-01, Digicert is no longer the provider of this service. See [[Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal]] for instructions on how to use the new provider's portal.

= Browser Support =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate directly in the browser, you need to be using one of these:

* Safari
* Internet Explorer
* Firefox ESR (as long as they are based on Firefox before version 69)

If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].

For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]].

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a personal grid certificate directly in the browser =

# Start a suitable web browser (see [[#Browser Support|Browser Support]] above for details):
## Windows:
### Internet Explorer
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox up to version 68 (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Requesting a personal grid certificate using CSR created outside of the browser =

# Start a suitable web browser
## Windows:
### Internet Explorer
### Edge
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox (obtained certificate is only available to Firefox)
### Chrome
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem
cat usercert_request.pem

#Paste the CSR text into the "CSR" text box
#Press "Request Certificate".
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.

unzip mitt_namn_namne12_foo_se.zip
openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12

# Import the PKCS#12 file into your browser(s):
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
## Other browsers: ''Please help us out by providing instructions''.
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

[[Grid_certificates#Requesting a certificate|< Grid certificates]]

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-28T14:55:22Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers (verified OK 2020-04-27 by Mathias L at C3SE)
* KTH (verified OK 2020-04-28 by Lilit A at PDC)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunds universitet (verified OK 2020-04-28 by Anders A at Lunarc)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get at this point.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

== Hitting the maximum number of valid certs ==

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-28T14:54:13Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers (verified OK 2020-04-27 by Mathias L at C3SE)
* KTH (verified OK 2020-04-28 by Lilit A at PDC)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunarc at Lunds universitet (verified OK 2020-04-28 by Anders A at Lunarc) - other subdomains under lu.se not working yet
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get at this point.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

== Hitting the maximum number of valid certs ==

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-28T08:32:32Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers (verified OK 2020-04-27 by Mathias L at C3SE)
* KTH (verified OK 2020-04-28 by Lilit A at PDC)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunarc at Lunds universitet (verified OK 2020-04-28 by Anders A at Lunarc) - other subdomains under lu.se not working yet
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get at this point.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

== Hitting the maximum number of valid certs ==

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-28T06:48:09Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers (verified OK 2020-04-27 by Mathias L at C3SE)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Lunarc at Lunds universitet (verified OK 2020-04-28 by Anders A at Lunarc) - other subdomains under lu.se not working yet
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get at this point.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

== Hitting the maximum number of valid certs ==

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T15:09:10Z

Kent Engström (NSC): /* Hitting the maximum number of valid certs */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers (verified OK 2020-04-27 by Mathias L at C3SE)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get at this point.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

== Hitting the maximum number of valid certs ==

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T15:08:17Z

Kent Engström (NSC): /* Requesting a certificate */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers (verified OK 2020-04-27 by Mathias L at C3SE)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get at this point.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

== Hitting the maximum number of valid certs ==

If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

*2020-04-27 This behavious will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.*

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T15:04:41Z

Kent Engström (NSC): /* Requesting a certificate */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers (verified OK 2020-04-27 by Mathias L at C3SE)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get at this point.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T15:04:03Z

Kent Engström (NSC):

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Chalmers (verified OK 2020-04-27 by Mathias L at C3SE)
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T13:02:04Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T11:54:59Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* Linköpings universitet (verified OK 2020-04-24 by Kent and colleagues at NSC)

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T09:39:20Z

Kent Engström (NSC):

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* LiU: verified OK 2020-04-24 by Kent and colleagues at NSC

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

= Revoking a certificate =

Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T09:24:15Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).

This section documents organizations known to have done all the setup required to enable this for their users:

* LiU: verified OK 2020-04-24 by Kent and colleagues at NSC

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T09:19:42Z

Kent Engström (NSC): /* Organization Support */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01.

This section documents organizations known to have done all the setup required to enable this for their users:

* LiU: verified OK 2020-04-24 by Kent and colleagues at NSC

Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T09:17:50Z

Kent Engström (NSC): /* Using the certificate with grid tools */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01.

This section documents organizations known to have done all the setup required to enable this for their users:

* LiU: verified OK 2020-04-24 by Kent and colleagues at NSC

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T09:17:30Z

Kent Engström (NSC): /* Using the certificate with grid tools */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01.

This section documents organizations known to have done all the setup required to enable this for their users:

* LiU: verified OK 2020-04-24 by Kent and colleagues at NSC

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at[[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T09:16:44Z

Kent Engström (NSC): /* Using the certificate */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01.

This section documents organizations known to have done all the setup required to enable this for their users:

* LiU: verified OK 2020-04-24 by Kent and colleagues at NSC

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].

If you uploaded a CSR and got cert.pem back, you can do it in one of two ways. The first one:

* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at[[Preparing a client certificate]].

The other more direct alternative:

* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem

FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T09:08:53Z

Kent Engström (NSC): /* Using the certificate in the web browser */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01.

This section documents organizations known to have done all the setup required to enable this for their users:

* LiU: verified OK 2020-04-24 by Kent and colleagues at NSC

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T09:08:32Z

Kent Engström (NSC): /* Using the certificate in the web browser */

= Organization Support =

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01.

This section documents organizations known to have done all the setup required to enable this for their users:

* LiU: verified OK 2020-04-24 by Kent and colleagues at NSC

= Requesting a certificate =

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

== Requesting a certificate using a locally generated key and CSR ==

Use this method:

* If there is a policy reason for you to refuse to have the key generated on the server side
* If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Upload CSR
* Use "Choose File" to upload the usercert_request.pem file you created above
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

== Requesting a certificate with server-side generation of key ==

Use this method:

* If you can accept that the key is generated on the server side
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

* Select Certificate Profile = GÉANT IGTF-MICS Personal
* Select Private Key = Generate RSA
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
* Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

= Using the certificate =

== Using the certificate in the web browser ==

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web broswer. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
* Other browsers: Please help us out by providing instructions.

== Using the certificate with grid tools ==

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T09:02:59Z

Kent Engström (NSC): /* Requesting a certificate */

Requesting a grid certificate using the Sectigo SSO Portal

2020-04-27T08:46:27Z

Kent Engström (NSC): Created page with "= Organization Support = The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01. This section docum..."

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T12:53:24Z

Kent Engström (NSC): /* Requesting a personal grid certificate using CSR created outside of the browser */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Browser Support =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate directly in the browser, you need to be using one of these:

* Safari
* Internet Explorer
* Firefox ESR (as long as they are based on Firefox before version 69)

If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].

For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]].

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a personal grid certificate directly in the browser =

# Start a suitable web browser (see Browser Support above for details):
## Windows:
### Internet Explorer
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox up to version 68 (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Requesting a personal grid certificate using CSR created outside of the browser =

# Start a suitable web browser
## Windows:
### Internet Explorer
### Edge
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox (obtained certificate is only available to Firefox)
### Chrome
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chown go= userkey.pem
cat usercert_request.pem

#Paste the CSR text into the "CSR" text box
#Press "Request Certificate".
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.

unzip mitt_namn_namne12_foo_se.zip
openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12

# Import the PKCS#12 file into your browser(s):
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
## Other browsers: ''Please help us out by providing instructions''.
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T12:51:10Z

Kent Engström (NSC): /* Browser Support */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Browser Support =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate directly in the browser, you need to be using one of these:

* Safari
* Internet Explorer
* Firefox ESR (as long as they are based on Firefox before version 69)

If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].

For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]].

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a personal grid certificate directly in the browser =

# Start a suitable web browser (see Browser Support above for details):
## Windows:
### Internet Explorer
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox up to version 68 (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Requesting a personal grid certificate using CSR created outside of the browser =

# Start a suitable web browser
## Windows:
### Internet Explorer
### Edge
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox (obtained certificate is only available to Firefox)
### Chrome
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chown go= userkey.pem
cat usercert_request.pem

#Paste the CSR text into the "CSR" text box
#Press "Request Certificate".
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.

unzip mitt_namn_namne12_foo_se.zip
openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12

# Import the PKCS#12 file into your browser.
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
## Other browsers: ''Please help us out by providing instructions''.
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T12:38:10Z

Kent Engström (NSC): /* Requesting a personal grid certificate using CSR and key generated outside the browser */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Browser Support =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate directly in the browser, you need to be using one of these:

* Safari
* Internet Explorer
* Firefox ESR (as long as they are based on Firefox before version 69)

For other browsers you need to generate the key and CSR outside of the browser, paste in the CSR, download the certificate and import it into the browser (if that is where the cert is going to be used). We hope to be able to update the instructions for that soon.

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a personal grid certificate directly in the browser =

# Start a suitable web browser (see Browser Support above for details):
## Windows:
### Internet Explorer
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox up to version 68 (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Requesting a personal grid certificate using CSR created outside of the browser =

# Start a suitable web browser
## Windows:
### Internet Explorer
### Edge
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox (obtained certificate is only available to Firefox)
### Chrome
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chown go= userkey.pem
cat usercert_request.pem

#Paste the CSR text into the "CSR" text box
#Press "Request Certificate".
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.

unzip mitt_namn_namne12_foo_se.zip
openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12

# Import the PKCS#12 file into your browser.
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
## Other browsers: ''Please help us out by providing instructions''.
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T12:35:27Z

Kent Engström (NSC): /* Requesting a personal grid certificate directly in the browser */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Browser Support =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate directly in the browser, you need to be using one of these:

* Safari
* Internet Explorer
* Firefox ESR (as long as they are based on Firefox before version 69)

For other browsers you need to generate the key and CSR outside of the browser, paste in the CSR, download the certificate and import it into the browser (if that is where the cert is going to be used). We hope to be able to update the instructions for that soon.

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a personal grid certificate directly in the browser =

# Start a suitable web browser (see Browser Support above for details):
## Windows:
### Internet Explorer
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox up to version 68 (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Requesting a personal grid certificate using CSR and key generated outside the browser =

# Start a suitable web browser
## Windows:
### Internet Explorer
### Edge
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox (obtained certificate is only available to Firefox)
### Chrome
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chown go= userkey.pem
cat usercert_request.pem

#Paste the CSR text into the "CSR" text box
#Press "Request Certificate".
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
# Unzip the ZIP file and make a PKCS#12 file from its certifikate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.

unzip mitt_namn_namne12_foo_se.zip
openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12

# Import the PKCS#12 file into your browser.
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T12:03:01Z

Kent Engström (NSC):

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T11:35:09Z

Kent Engström (NSC): /* Caveat */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Caveat =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate inside the browser, you need to be using one of these:

* Safari
* Internet Explorer
* Firefox ESR (as long as they are based on Firefox before version 69)

For other browsers you need to generate the key and CSR outside of the browser, paste in the CSR, download the certificate and import it into the browser (if that is where the cert is going to be used). We hope to be able to update the instructions for that soon.

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a personal grid certificate directly in the browser =

# Start a suitable web browser (see Caveat above for details):
## Windows:
### Internet Explorer
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox up to version 68 (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T11:30:09Z

Kent Engström (NSC): /* Requesting a eScience (grid) certificate directly in the browser */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Caveat =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate inside the browser, you need to be using one of these:

* Safari
* Internet Explorer
* Firefox ESR (as long as they are based on Firefox before version 69)

For other browsers you need to generate the key and CSR outside of the browser, paste in the CSR, download the certificate and import it into the browser (if that is where the cert is going to be used). We hope to be able to update the instructions for that soon.

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a personal grid certificate directly in the browser =

# Start a suitable web browser (see Caveat above for details):
## Windows:
### Internet Explorer
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox up to version 68 (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T11:28:13Z

Kent Engström (NSC): /* Requesting a eScience (grid) certificate directly in the browser */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Caveat =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate inside the browser, you need to be using one of these:

* Safari
* Internet Explorer
* Firefox ESR (as long as they are based on Firefox before version 69)

For other browsers you need to generate the key and CSR outside of the browser, paste in the CSR, download the certificate and import it into the browser (if that is where the cert is going to be used). We hope to be able to update the instructions for that soon.

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a eScience (grid) certificate directly in the browser =

# Start a suitable web browser (see Caveat above for details):
## Windows:
### Internet Explorer
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox up to version 68 (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T11:27:01Z

Kent Engström (NSC): /* Caveat */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Caveat =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate inside the browser, you need to be using one of these:

* Safari
* Internet Explorer
* Firefox ESR (as long as they are based on Firefox before version 69)

For other browsers you need to generate the key and CSR outside of the browser, paste in the CSR, download the certificate and import it into the browser (if that is where the cert is going to be used). We hope to be able to update the instructions for that soon.

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a eScience (grid) certificate directly in the browser =

# Start a suitable web browser (see Caveat above for details):
## Windows:
### Internet Explorer
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T11:25:41Z

Kent Engström (NSC): /* Requesting a eScience (grid) certificate */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Caveat =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate inside the browser, you need to be running:

- Safari
- Internet Explorer
- Firefox ESR (as long as they are based on Firefox before version 69)

For other browsers you need to generate the key and CSR outside of the browser, paste in the CSR, download the certificate and import it into the browser (if that is where the cert is going to be used). We hope to be able to update the instructions for that soon.

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a eScience (grid) certificate directly in the browser =

# Start a suitable web browser (see Caveat above for details):
## Windows:
### Internet Explorer
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-26T11:25:12Z

Kent Engström (NSC): /* Caveat */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Caveat =

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate inside the browser, you need to be running:

- Safari
- Internet Explorer
- Firefox ESR (as long as they are based on Firefox before version 69)

For other browsers you need to generate the key and CSR outside of the browser, paste in the CSR, download the certificate and import it into the browser (if that is where the cert is going to be used). We hope to be able to update the instructions for that soon.

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a eScience (grid) certificate =

# Start a suitable web browser (see Caveat above for details):
## Windows:
### Internet Explorer
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Requesting a grid certificate using the Digicert SSO Portal

2019-09-25T09:45:38Z

Kent Engström (NSC): /* Caveat */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]

= Caveat =

Due to Google wanting to promote alternatives to client certificates, '''you can no longer use Google Chrome/Chromium''' for getting a Digicert certificate. '''Firefox, Safari and Internet Explorer still works'''. We have reports that '''Microsoft Edge does not work'''.

= Set a master password =

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

= Requesting a eScience (grid) certificate =

# Start a suitable web browser (see Caveat above for details):
## Windows:
### Internet Explorer
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
## macOS:
### Safari
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
## Linux/Unix:
### Firefox (obtained certificate is only available to Firefox)
#Go to https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Select the ''Grid Premium'' product.
#:[[File:Digicert-product-select.png]]
#Normally, leave the CSR field blank to get a key generated in your browser.
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.

= Exporting the Digicert certificate =

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.

= Adding certificate to OS certificate store =

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

* [[Add client certificate to keychain on macOS]]

Windows: '''FIXME: Investigate and update instructions accordingly'''.

= Using the certificate with grid tools =

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.

Support

2017-02-21T15:01:27Z

Kent Engström (NSC):

Support alternatives:

; Guides
: This site has a number of guides on a variety of subjects, see [[:Category:Guide]].

; Centre, Swestore and SUPR support
: Go to [http://supr.snic.se/support http://supr.snic.se/support]. If you can login to SUPR you can use a support form that helps you fill in a good support request. If you cannot login you will get a list of email addresses to use for your support request.
: This is by far the quickest way of getting your problems solved, and this is where you should address all your support questions. In case an issue cannot be immediately solved by these support queues it will be forwarded to the right place for you.

; Application support
: e-mail: [mailto:application-support@snic.se application-support@snic.se] 
: This mail address can be used if you have support questions that are not directly regarding how to run a given application on a specific SNIC HPC resource, but regarding how to use the application itself or how to solve an issue with the application that is not specific to running it on a certain resource. 
: The application-support queue is monitored by all the application experts, who are distributed over all the six SNIC HPC centers, so there is a good chance that someone who knows the given application will see the support request and help answer your questions or solve your issue. 
: If you don’t know whether or not to use the application-support address for your support request, then just send your request to the support address at the HPC center where you run your jobs. Then someone monitoring that support queue will in turn move your support request to the application-support queue if they find that your request is better handled there.

; SweGrid support
: e-mail: [mailto:support@swegrid.se support@swegrid.se] 
: For support regarding the [[SweGrid]] resources.

Support

2017-02-21T14:59:22Z

Kent Engström (NSC):

Support alternatives:

; Guides
: This site has a number of guides on a variety of subjects, see [[:Category:Guide]].

; Centre, Swestore and SUPR support
: Go to [http://supr.snic.se/support http://supr.snic.se/support]. If you can login to SUPR you can use a support form that help you fill in a good support request. If you cannot login you will get a list of email addresses to use for your support request.
: This is by far the quickest way of getting your problems solved, and this is where you should address all your support questions. In case an issue cannot be immediately solved by these support queues it will be forwarded to the right place for you.

; Application support
: e-mail: [mailto:application-support@snic.se application-support@snic.se] 
: This mail address can be used if you have support questions that are not directly regarding how to run a given application on a specific SNIC HPC resource, but regarding how to use the application itself or how to solve an issue with the application that is not specific to running it on a certain resource. 
: The application-support queue is monitored by all the application experts, who are distributed over all the six SNIC HPC centers, so there is a good chance that someone who knows the given application will see the support request and help answer your questions or solve your issue. 
: If you don’t know whether or not to use the application-support address for your support request, then just send your request to the support address at the HPC center where you run your jobs. Then someone monitoring that support queue will in turn move your support request to the application-support queue if they find that your request is better handled there.

; SweGrid support
: e-mail: [mailto:support@swegrid.se support@swegrid.se] 
: For support regarding the [[SweGrid]] resources.

Requesting a grid certificate using the Terena eScience Portal

2015-09-01T08:27:39Z

Kent Engström (NSC):

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:SweStore]]
[[Category:SweStore user guide]]
[[Grid_certificates|< Grid certificates]]

NEWS: In July 2015 the TERENA TCS service switched backend provider from Comodo to DigiCert. That also meant switching the grid certificate portal from the TERENA-run Confusa service (https://tcs-escience.sunet.se for the SUNET instance) to a vendor-provided portal (https://digicert.com/sso/). Also, TERENA has been merged/renamed and is now GÉANT.

These instructions have been updated to point to the new service, but they could be improved with screenshots, more explanations etc. Please feel free to work on them.

To request a TCS grid certificate

1. Go to https://digicert.com/sso

2. Type the first characters of your university (or similar) and then select the Identity Provider to use for login.

3. Login at your home university.

4. Select the ''Grid Premium'' product.

5. Normally, leave the CSR field blank to get a key generated in your browser.

6. Press "Request Certificate".

7. Your certificate is generated and should be automatically imported into your browser.

=== Exporting the Terena certificate for use with Grid tools ===

To use the Terena certificates with the ARC grid client they have to be exported from the browser and converted into a suitable format.

See [[Exporting a client certificate]] for detailed instructions on how to export a Terena certificate from the most popular browsers.

See [[Preparing a client certificate]] for detailed instructions on how to prepare the exported certificate for use with grid tools.

Support

2013-09-13T13:52:17Z

Kent Engström (NSC):

Support alternatives:

; Guides
: This site has a number of guides on a variety of subjects, see [[:Category:Guide]].

; Centre support
: [http://www.c3se.chalmers.se/ C3SE] e-mail: [mailto:support@c3se.chalmers.se support@c3se.chalmers.se]
: [http://www.hpc2n.umu.se/ HPC2N] e-mail: [mailto:support@hpc2n.umu.se support@hpc2n.umu.se]
: [http://www.lunarc.lu.se/ Lunarc] e-mail: [mailto:support@lunarc.lu.se support@lunarc.lu.se]
: [http://www.nsc.liu.se/ NSC] e-mail: [mailto:support@nsc.liu.se support@nsc.liu.se]
: [http://www.pdc.kth.se PDC] e-mail: [mailto:support@pdc.kth.se support@pdc.kth.se]
: [http://www.uppmax.uu.se Uppmax] e-mail: [mailto:support@uppmax.uu.se support@uppmax.uu.se]
: This is by far the quickest way of getting your problems solved, and this is where you should address all your support questions. In case an issue cannot be immediately solved by these support queues it will be forwarded to the right place for you.

; Application support
: e-mail: [mailto:application-support@snic.se application-support@snic.se] 
: This mail address can be used if you have support questions that are not directly regarding how to run a given application on a specific SNIC HPC resource, but regarding how to use the application itself or how to solve an issue with the application that is not specific to running it on a certain resource. 
: The application-support queue is monitored by all the application experts, who are distributed over all the six SNIC HPC centers, so there is a good chance that someone who knows the given application will see the support request and help answer your questions or solve your issue. 
: If you don’t know whether or not to use the application-support address for your support request, then just send your request to the support address at the HPC center where you run your jobs. Then someone monitoring that support queue will in turn move your support request to the application-support queue if they find that your request is better handled there.

; SweGrid support
: e-mail: [mailto:support@swegrid.se support@swegrid.se] 
: For support regarding the SweGrid resources

; SweStore support
: e-mail: [mailto:support@swestore.se support@swestore.se]
: For obtaining support regarding the national storage.
: See also [[SweStore]]

; SUPR support
: e-email: [mailto:support@supr.snic.se support@supr.snic.se] 
: For support regarding the [https://supr.snic.se/ SUPR] SNIC portal.

== See also ==
* [[FAQ]] - Frequently asked questions.
* [http://www.pdc.kth.se/about/contact/support-requests More information on how to contact PDC support]

LiU Certificate Instructions

2013-03-15T15:22:20Z

Kent Engström (NSC):

See instructions at http://www.liu.se/insidan/it/irt/personliga-certifikat?l=en

Remember that it is the eScience version you should choose.

LiU Certificate Instructions

2013-03-15T15:20:25Z

Kent Engström (NSC): Created page with "See http://www.liu.se/insidan/it/irt/personliga-certifikat You should go to the person responsible for computer accounts at your department. You should bring a valid Swedish ph..."

See http://www.liu.se/insidan/it/irt/personliga-certifikat

You should go to the person responsible for computer accounts at your department. You should bring a valid Swedish photo ID (e.g. driver's license or passport). The account responsible person will check your identity and update your status at account.liu.se so that you can request certificates from the Terena portal.

Grid certificates

2013-03-15T15:17:33Z

Kent Engström (NSC): /* Requesting a certificate */

[[Category:Grid computing]]
[[Category:SweGrid user guide]]
[[Category:SweStore]]
[[Category:SweStore user guide]]
[[Getting started with SweGrid|< Getting started with SweGrid]] 
[[SweStore|< SweStore]]

=Introduction to certificates=

In order to get access to computer and storage resources on the grid or [[SweStore]] you must have a valid (grid) certificate. This certificate is used instead of a username and password when accessing the resource. The resource have a certificate that tells you that you have contacted the right resource. This is exactly the same mechanism used when you use a web browser to contact your bank.

A certificate is the similar to a passport in real-life. In the same way you have prove your credentials when you acquire a passport the same is true for a certificate. A third party, the Certificate Authority or CA, that both you and the resource trust has to vouch for your identity and sign your certificate.

A certificate consist of a public key, some user information and a signature of the CA. In addition to the certificate you have a private key. The private key is secret and should be kept as secure as possible.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]

[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

[http://www.nordugrid.org/documents/certificate_howto.html http://www.nordugrid.org/documents/certificate_howto.html]

* The grid certificate and the private key are stored in your web browser and/or located in ~/.globus at the host(s) from where you will be accessing the resource:
usercert.pem
userkey.pem
* The certificate contains your public key, your name and organization and a signature by the CA. It is does not contain any username.
* The certificate is valid for 13 month and should be renewed yearly.
* The private key should be handled with great care. It should only be readable by you (i.e. ``chmod 400 userkey.pem''). Store the key on trusted computers and transfer the key between computers using encryption (using for example scp).
* The private key is encrypted using a passphrase. Anyone that can decrypt the private key will be able to authenticate as you to grid resources. This is similar to the private key in SSH. You must choose a strong passphrase for the private key. This passphrase must not be used anywhere else. You must never ever give away the passphrase to somebody else.
* You should not share the certificate with someone. It's personal.

For more information regarding certificates and public key cryptography:

[http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]
[http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]

= Requesting a certificate =

Certificates are issued by a Certificate Authority or CA. For Swedish users there are two relevant CA:s that can issue grid certificates, Terena and Nordugrid. The Terena CA is preferred if it is available for your university or research group, but many sites has not enabled this service yet. The Nordugrid CA can also be used but requires more manual work by all parties.

Recommended procedure for each university:

{| class="wikitable"
| University
| CA
| Specific instructions
|-
| LU
| Terena CA
| [[LU_Certificate_Information|more...]]
|-
| LiU
| Terena CA
| [[LiU_Certificate_Instructions|more...]]
|-
| CTH
| NorduGrid CA
| [[Chalmers_Certificate_Instructions|more...]]
|-
| GU
| NorduGrid CA
| [[GU_Certificate_Instructions|more...]]
|-
| UU
| Terena CA
| [[UU_Certificate_Instructions|more...]]
|-
| KTH
| Terena CA
| [[KTH_Certificate_Information|more...]]
|-
| SU
| NorduGrid CA
| [[SU_Certificate_Information|more...]]
|-
| KI
| NorduGrid CA
| [[KI_Certificate_Information|more...]]
|-
| UmU
| Terena CA
| [[UmU_Certificate_Information|more...]]
|-
|}

[[Requesting a grid certificate using the Terena eScience Portal|Instructions for the Terena CA]]

[[Requesting a grid certificate from the Nordugrid CA|Instructions for the NorduGrid CA (use only if Terena eScience isn't available at your site)]]

= Requesting membership in the SweGrid VO =

SweGrid and SweStore resources are currently being allocated for VO:s, virtual organizations, rather than individual users. A VO is basically just a list of users. To be able to use a SweGrid or SweStore resource a membership in the SweGrid VO (virtual organization) and a corresponding subgroup is required. To apply for membership, make sure that the NorduGrid root CA certificate and your personal certificate is installed in the browser.

The NorduGrid CA cert can be installed by clicking on the following link:

[http://ca.nordugrid.org/cacrt.crt http://ca.nordugrid.org/cacrt.crt]

Make sure you check the "Trust this CA to identify web sites." boxes in the dialog shown.

[[File:certinstall.png]]

When certificates have been installed in the browser go to the following URL:

[https://voms.ndgf.org:8443/voms/swegrid.se https://voms.ndgf.org:8443/voms/swegrid.se]

and follow the instructions. In a couple of hours you will be added to the SweGrid VO.

To be added to the correct SweGrid project send a mail to [mailto:support@swegrid.se support@swegrid.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which SNIC-project to be added to.

To be added to the correct Swestore allocation send a mail to [mailto:swestore-support@snic.vr.se swestore-support@snic.vr.se] and specify your DN as shown in the Terena portal or from the '''arcproxy --info''' command and which Swestore allocation to be added to.

= Proxy certificates =

Authentication on the grid is done using special short lived ''proxy'' certificates. There are several tools available for creating, checking and destroying these proxy certificates.

== Creating a proxy certificate ==

To create a short lived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example:

$ arcproxy
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 03:00:14

The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_uid''', where uid is the user id number for your account.

In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:

$ arcproxy --constraint="validityPeriod=24H"
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
....++++++
.....++++++
Proxy generation succeeded
Your proxy is valid until: 2011-03-11 15:03:19

== Checking proxy lifetime ==

The remaining lifetime of a proxy certificate can be checked using the '''arcproxy''' command with the '''--info''' switch.

$ arcproxy --info
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula/CN=1567862803
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Time left for proxy: 11 hours 55 minutes
Proxy path: /tmp/x509up_u500
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy

In this example the proxy certificate is valid for 11 hours 55 minutes more.

== Destroying a proxy certificate ==

A proxy can be destroyed with the '''-r''' or '''--remove''' switch.

$ arcproxy -r

or

$ arcproxy --remove

= VOMS certificates =

As long as you are a member of only one VO or VO group, you can
authenticate to a grid service with the regular grid proxy certificate
as defined in the previous section. If you are a member of more than
one VO or VO group you may want to select which membership you want to
be authenticated as. For example, if you are a member of
''swegrid.se:/swegrid.se/ops'' (operations staff) and
''swegrid.se:/swegrid.se/bils'' and want to write a file, who should
be the owner? Ops or bils? You need to provide some additional
information. In the grid world this is done with a voms proxy
certificate which basically is a regular proxy certificate but with a
so called voms extension that contains a list of your VO group
memberships (and roles and attributes, which we don't use in
Swegrid/Swestore at the moment).

'''Please note, if you only have one membership you can skip this section!'''

The voms extension of the certificate is signed by the virtual
organization management server, or VOMS server. The same VOMS server
you used when applying for the swegrid.se VO membership in the first
place. To enable this signing process you need to add a few
configuration files to your system. First add this to the file
'''/etc/vomses''':

"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"

Next create the necessary directories and the file
'''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the
following contents:

/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority

== Creating a VOMS proxy ==

VOMS proxies in ARC1 can be created using the '''arcproxy''' command
and the '''-S''' or '''--voms''' switches as shown in the following
example (if you are a member of the /swegrid.se/ops group. Adjust as
necessary):

$ arcproxy -S swegrid.se:/swegrid.se/ops
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Kalle Kula
Enter pass phrase for /home/kalle/.globus/userkey.pem:
.....++++++
............++++++
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009
Proxy generation succeeded
Your proxy is valid until: 2011-03-10 23:33:06