Difference between revisions of "Requesting a grid certificate using the Digicert SSO Portal"

From SNIC Documentation
Jump to: navigation, search
(Use bold to highlight specific facts, instead of the entire line.)
(30 intermediate revisions by 3 users not shown)
Line 3: Line 3:
 
[[Category:Swestore]]
 
[[Category:Swestore]]
 
[[Category:Swestore user guide]]
 
[[Category:Swestore user guide]]
[[Grid_certificates|< Grid certificates]]
 
  
Due to brain damage at Google, '''you can no longer use Google Chromium''' for getting a Digicert certificate. '''Firefox still works, and possibly Safari and Internet Explorer'''. We have reports that '''Microsoft Edge does not work'''.
+
[[Grid_certificates#Requesting a certificate|< Grid certificates]]
  
To request a Digicert grid certificate
+
= Switching to a new provider =
  
 +
On 2020-05-01, Digicert is no longer the provider of this service. See [[Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal]] for instructions on how to use the new provider's portal.
 +
 +
= Browser Support =
 +
 +
Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.
 +
 +
Thus, to request a certificate directly in the browser, you need to be using one of these:
 +
 +
* Safari
 +
* Internet Explorer
 +
* Firefox ESR (as long as they are based on Firefox before version 69)
 +
 +
If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].
 +
 +
For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]].
 +
 +
For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html
 +
 +
= Set a master password =
 +
 +
When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.
 +
 +
Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins
 +
 +
= Requesting a personal grid certificate directly in the browser =
 +
 +
# Start a suitable web browser (see [[#Browser Support|Browser Support]] above for details):
 +
## Windows:
 +
### Internet Explorer
 +
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
 +
## macOS:
 +
### Safari
 +
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
 +
## Linux/Unix:
 +
### Firefox up to version 68 (obtained certificate is only available  to Firefox)
 
#Go to  https://digicert.com/sso
 
#Go to  https://digicert.com/sso
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
+
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)
 
#:[[File:Digicert-idp.png]]
 
#:[[File:Digicert-idp.png]]
 
#Login at your home university.
 
#Login at your home university.
Line 19: Line 53:
 
#Your certificate is generated and should be automatically imported into your browser.
 
#Your certificate is generated and should be automatically imported into your browser.
  
=== Exporting the Digicert certificate for use with Swestore and other grid tools ===
+
= Requesting a personal grid certificate using CSR created outside of the browser =
 +
 
 +
# Start a suitable web browser
 +
## Windows:
 +
### Internet Explorer
 +
### Edge
 +
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
 +
## macOS:
 +
### Safari
 +
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
 +
## Linux/Unix:
 +
### Firefox (obtained certificate is only available  to Firefox)
 +
### Chrome
 +
#Go to  https://digicert.com/sso
 +
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
 +
#:[[File:Digicert-idp.png]]
 +
#Login at your home university.
 +
#Select the ''Grid Premium'' product.
 +
#:[[File:Digicert-product-select.png]]
 +
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:
 +
 
 +
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
 +
chmod go= userkey.pem
 +
cat usercert_request.pem
 +
 
 +
#Paste the CSR text into the "CSR" text box
 +
#Press "Request Certificate".
 +
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
 +
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.
 +
 
 +
  unzip mitt_namn_namne12_foo_se.zip
 +
  openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12
 +
 
 +
# Import the PKCS#12 file into your browser(s):
 +
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
 +
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
 +
## Other browsers: ''Please help us out by providing instructions''.
 +
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
 +
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.
 +
 
 +
= Exporting the Digicert certificate =
 +
 
 +
If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.
 +
 
 +
See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.
 +
 
 +
= Adding certificate to OS certificate store =
 +
 
 +
Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.
 +
 
 +
* [[Add client certificate to keychain on macOS]]
 +
 
 +
Windows: '''FIXME: Investigate and update instructions accordingly'''.
 +
 
 +
= Using the certificate with grid tools =
  
 
To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.
 
To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.
  
See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.
+
See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.
  
See [[Preparing a client certificate]] for detailed instructions on how to prepare the exported certificate for use with grid tools.
+
[[Grid_certificates#Requesting a certificate|< Grid certificates]]

Revision as of 14:58, 28 April 2020


< Grid certificates

Switching to a new provider

On 2020-05-01, Digicert is no longer the provider of this service. See Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal for instructions on how to use the new provider's portal.

Browser Support

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate directly in the browser, you need to be using one of these:

  • Safari
  • Internet Explorer
  • Firefox ESR (as long as they are based on Firefox before version 69)

If that is your case, you can follow the simpler instructions below.

For other browsers you need to follow the more complex instructions below.

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

Set a master password

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

Requesting a personal grid certificate directly in the browser

  1. Start a suitable web browser (see Browser Support above for details):
    1. Windows:
      1. Internet Explorer
      2. Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
    2. macOS:
      1. Safari
      2. Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
    3. Linux/Unix:
      1. Firefox up to version 68 (obtained certificate is only available to Firefox)
  2. Go to https://digicert.com/sso
  3. Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)
    File:Digicert-idp.png
  4. Login at your home university.
  5. Select the Grid Premium product.
    File:Digicert-product-select.png
  6. Normally, leave the CSR field blank to get a key generated in your browser.
  7. Press "Request Certificate".
  8. Your certificate is generated and should be automatically imported into your browser.

Requesting a personal grid certificate using CSR created outside of the browser

  1. Start a suitable web browser
    1. Windows:
      1. Internet Explorer
      2. Edge
      3. Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
    2. macOS:
      1. Safari
      2. Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
    3. Linux/Unix:
      1. Firefox (obtained certificate is only available to Firefox)
      2. Chrome
  2. Go to https://digicert.com/sso
  3. Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
    File:Digicert-idp.png
  4. Login at your home university.
  5. Select the Grid Premium product.
    File:Digicert-product-select.png
  6. Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem
cat usercert_request.pem
  1. Paste the CSR text into the "CSR" text box
  2. Press "Request Certificate".
  3. Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
  4. Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.
 unzip mitt_namn_namne12_foo_se.zip
 openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12
  1. Import the PKCS#12 file into your browser(s):
    1. Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
    2. Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
    3. Other browsers: Please help us out by providing instructions.
  2. Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
  3. Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.

Exporting the Digicert certificate

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See Exporting a client certificate for detailed instructions on how to export a Digicert certificate from the most popular browsers.

Adding certificate to OS certificate store

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

Windows: FIXME: Investigate and update instructions accordingly.

Using the certificate with grid tools

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See Preparing a client certificate for detailed instructions on how to prepare an exported certificate for use with grid tools.

< Grid certificates