Difference between revisions of "Requesting a grid certificate using the Digicert SSO Portal"

From SNIC Documentation
Jump to: navigation, search
(Fix "back" link to grid cert page)
(8 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
[[Category:Swestore]]
 
[[Category:Swestore]]
 
[[Category:Swestore user guide]]
 
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]
+
 
 +
[[Grid_certificates#Requesting a certificate|< Grid certificates]]
  
 
= Browser Support =
 
= Browser Support =
  
Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has not supported it. Safari still supports it as of today, and Internet Explorer has another mechanism available that provides the same feature.
+
Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.
  
 
Thus, to request a certificate directly in the browser, you need to be using one of these:
 
Thus, to request a certificate directly in the browser, you need to be using one of these:
Line 15: Line 16:
 
* Firefox ESR (as long as they are based on Firefox before version 69)
 
* Firefox ESR (as long as they are based on Firefox before version 69)
  
For other browsers you need to generate the key and CSR outside of the browser, paste in the CSR, download the certificate and import it into the browser (if that is where the cert is going to be used). We hope to be able to update the instructions for that soon.
+
If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].
 +
 
 +
For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]].  
  
 
For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html
 
For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html
Line 27: Line 30:
 
= Requesting a personal grid certificate directly in the browser =
 
= Requesting a personal grid certificate directly in the browser =
  
# Start a suitable web browser (see Browser Support above for details):
+
# Start a suitable web browser (see [[#Browser Support|Browser Support]] above for details):
 
## Windows:
 
## Windows:
 
### Internet Explorer
 
### Internet Explorer
Line 37: Line 40:
 
### Firefox up to version 68 (obtained certificate is only available  to Firefox)
 
### Firefox up to version 68 (obtained certificate is only available  to Firefox)
 
#Go to  https://digicert.com/sso
 
#Go to  https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
+
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)
 
#:[[File:Digicert-idp.png]]
 
#:[[File:Digicert-idp.png]]
 
#Login at your home university.
 
#Login at your home university.
Line 45: Line 48:
 
#Press "Request Certificate".
 
#Press "Request Certificate".
 
#Your certificate is generated and should be automatically imported into your browser.
 
#Your certificate is generated and should be automatically imported into your browser.
 +
 +
= Requesting a personal grid certificate using CSR created outside of the browser =
 +
 +
# Start a suitable web browser
 +
## Windows:
 +
### Internet Explorer
 +
### Edge
 +
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
 +
## macOS:
 +
### Safari
 +
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
 +
## Linux/Unix:
 +
### Firefox (obtained certificate is only available  to Firefox)
 +
### Chrome
 +
#Go to  https://digicert.com/sso
 +
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
 +
#:[[File:Digicert-idp.png]]
 +
#Login at your home university.
 +
#Select the ''Grid Premium'' product.
 +
#:[[File:Digicert-product-select.png]]
 +
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:
 +
 +
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
 +
chmod go= userkey.pem
 +
cat usercert_request.pem
 +
 +
#Paste the CSR text into the "CSR" text box
 +
#Press "Request Certificate".
 +
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
 +
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.
 +
 +
  unzip mitt_namn_namne12_foo_se.zip
 +
  openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12
 +
 +
# Import the PKCS#12 file into your browser(s):
 +
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
 +
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
 +
## Other browsers: ''Please help us out by providing instructions''.
 +
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
 +
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.
  
 
= Exporting the Digicert certificate =
 
= Exporting the Digicert certificate =
Line 65: Line 108:
  
 
See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.
 
See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.
 +
 +
[[Grid_certificates#Requesting a certificate|< Grid certificates]]

Revision as of 08:55, 17 October 2019


< Grid certificates

Browser Support

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate directly in the browser, you need to be using one of these:

  • Safari
  • Internet Explorer
  • Firefox ESR (as long as they are based on Firefox before version 69)

If that is your case, you can follow the simpler instructions below.

For other browsers you need to follow the more complex instructions below.

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

Set a master password

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

Requesting a personal grid certificate directly in the browser

  1. Start a suitable web browser (see Browser Support above for details):
    1. Windows:
      1. Internet Explorer
      2. Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
    2. macOS:
      1. Safari
      2. Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
    3. Linux/Unix:
      1. Firefox up to version 68 (obtained certificate is only available to Firefox)
  2. Go to https://digicert.com/sso
  3. Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)
    File:Digicert-idp.png
  4. Login at your home university.
  5. Select the Grid Premium product.
    File:Digicert-product-select.png
  6. Normally, leave the CSR field blank to get a key generated in your browser.
  7. Press "Request Certificate".
  8. Your certificate is generated and should be automatically imported into your browser.

Requesting a personal grid certificate using CSR created outside of the browser

  1. Start a suitable web browser
    1. Windows:
      1. Internet Explorer
      2. Edge
      3. Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
    2. macOS:
      1. Safari
      2. Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
    3. Linux/Unix:
      1. Firefox (obtained certificate is only available to Firefox)
      2. Chrome
  2. Go to https://digicert.com/sso
  3. Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
    File:Digicert-idp.png
  4. Login at your home university.
  5. Select the Grid Premium product.
    File:Digicert-product-select.png
  6. Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem
cat usercert_request.pem
  1. Paste the CSR text into the "CSR" text box
  2. Press "Request Certificate".
  3. Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
  4. Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.
 unzip mitt_namn_namne12_foo_se.zip
 openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12
  1. Import the PKCS#12 file into your browser(s):
    1. Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
    2. Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
    3. Other browsers: Please help us out by providing instructions.
  2. Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
  3. Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.

Exporting the Digicert certificate

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See Exporting a client certificate for detailed instructions on how to export a Digicert certificate from the most popular browsers.

Adding certificate to OS certificate store

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

Windows: FIXME: Investigate and update instructions accordingly.

Using the certificate with grid tools

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See Preparing a client certificate for detailed instructions on how to prepare an exported certificate for use with grid tools.

< Grid certificates