Requesting a grid certificate using the Digicert SSO Portal

From SNIC Documentation

(Difference between revisions)
Jump to: navigation, search
(Requesting a Digicert eScience (grid) certificate)
(Fix "back" link to grid cert page)
 
(24 intermediate revisions not shown)
Line 3: Line 3:
[[Category:Swestore]]
[[Category:Swestore]]
[[Category:Swestore user guide]]
[[Category:Swestore user guide]]
-
[[Grid_certificates|< Grid certificates]]
 
-
= Caveat =
+
[[Grid_certificates#Requesting a certificate|< Grid certificates]]
-
Due to brain damage at Google, '''you can no longer use Google Chrome/Chromium''' for getting a Digicert certificate. '''Firefox still works, and possibly Safari and Internet Explorer'''. We have reports that '''Microsoft Edge does not work'''.
+
= Browser Support =
-
= Requesting a Digicert eScience (grid) certificate =
+
Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.
-
# Start the ''Firefox'' web browser or, if preferred, ''Safari'' on macOS. (see Caveat above for details)
+
Thus, to request a certificate directly in the browser, you need to be using one of these:
 +
 
 +
* Safari
 +
* Internet Explorer
 +
* Firefox ESR (as long as they are based on Firefox before version 69)
 +
 
 +
If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].
 +
 
 +
For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]].
 +
 
 +
For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html
 +
 
 +
= Set a master password =
 +
 
 +
When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.
 +
 
 +
Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins
 +
 
 +
= Requesting a personal grid certificate directly in the browser =
 +
 
 +
# Start a suitable web browser (see [[#Browser Support|Browser Support]] above for details):
 +
## Windows:
 +
### Internet Explorer
 +
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
 +
## macOS:
 +
### Safari
 +
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
 +
## Linux/Unix:
 +
### Firefox up to version 68 (obtained certificate is only available  to Firefox)
#Go to  https://digicert.com/sso
#Go to  https://digicert.com/sso
-
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
+
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)
#:[[File:Digicert-idp.png]]
#:[[File:Digicert-idp.png]]
#Login at your home university.
#Login at your home university.
Line 21: Line 48:
#Press "Request Certificate".
#Press "Request Certificate".
#Your certificate is generated and should be automatically imported into your browser.
#Your certificate is generated and should be automatically imported into your browser.
 +
 +
= Requesting a personal grid certificate using CSR created outside of the browser =
 +
 +
# Start a suitable web browser
 +
## Windows:
 +
### Internet Explorer
 +
### Edge
 +
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
 +
## macOS:
 +
### Safari
 +
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
 +
## Linux/Unix:
 +
### Firefox (obtained certificate is only available  to Firefox)
 +
### Chrome
 +
#Go to  https://digicert.com/sso
 +
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
 +
#:[[File:Digicert-idp.png]]
 +
#Login at your home university.
 +
#Select the ''Grid Premium'' product.
 +
#:[[File:Digicert-product-select.png]]
 +
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:
 +
 +
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
 +
chmod go= userkey.pem
 +
cat usercert_request.pem
 +
 +
#Paste the CSR text into the "CSR" text box
 +
#Press "Request Certificate".
 +
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
 +
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.
 +
 +
  unzip mitt_namn_namne12_foo_se.zip
 +
  openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12
 +
 +
# Import the PKCS#12 file into your browser(s):
 +
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
 +
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
 +
## Other browsers: ''Please help us out by providing instructions''.
 +
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
 +
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.
= Exporting the Digicert certificate =
= Exporting the Digicert certificate =
Line 28: Line 95:
See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.
See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.
-
= Adding certificate to OS keychain/keystore =
+
= Adding certificate to OS certificate store =
-
For operating systems with a built in keychain/keystore the certificate needs to be imported in order to be available for programs that uses it.
+
Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.
-
Mac OS: In Finder, click on the file containing the exported certificate. '''FIXME: Write proper instruction page '''
+
* [[Add client certificate to keychain on macOS]]
Windows: '''FIXME: Investigate and update instructions accordingly'''.
Windows: '''FIXME: Investigate and update instructions accordingly'''.
Line 42: Line 109:
See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.
See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.
-
For operating systems with a built in keystore you might need to export the e
+
[[Grid_certificates#Requesting a certificate|< Grid certificates]]

Latest revision as of 08:55, 17 October 2019

< Grid certificates

Contents

Browser Support

Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.

Thus, to request a certificate directly in the browser, you need to be using one of these:

If that is your case, you can follow the simpler instructions below.

For other browsers you need to follow the more complex instructions below.

For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html

Set a master password

When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.

Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

Requesting a personal grid certificate directly in the browser

  1. Start a suitable web browser (see Browser Support above for details):
    1. Windows:
      1. Internet Explorer
      2. Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)
    2. macOS:
      1. Safari
      2. Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)
    3. Linux/Unix:
      1. Firefox up to version 68 (obtained certificate is only available to Firefox)
  2. Go to https://digicert.com/sso
  3. Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)
    Digicert-idp.png
  4. Login at your home university.
  5. Select the Grid Premium product.
    Digicert-product-select.png
  6. Normally, leave the CSR field blank to get a key generated in your browser.
  7. Press "Request Certificate".
  8. Your certificate is generated and should be automatically imported into your browser.

Requesting a personal grid certificate using CSR created outside of the browser

  1. Start a suitable web browser
    1. Windows:
      1. Internet Explorer
      2. Edge
      3. Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)
    2. macOS:
      1. Safari
      2. Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)
    3. Linux/Unix:
      1. Firefox (obtained certificate is only available to Firefox)
      2. Chrome
  2. Go to https://digicert.com/sso
  3. Type the first characters of your university (or similar) and then select the Identity Provider to use for login.
    Digicert-idp.png
  4. Login at your home university.
  5. Select the Grid Premium product.
    Digicert-product-select.png
  6. Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem
cat usercert_request.pem
  1. Paste the CSR text into the "CSR" text box
  2. Press "Request Certificate".
  3. Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).
  4. Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.
 unzip mitt_namn_namne12_foo_se.zip
 openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12
  1. Import the PKCS#12 file into your browser(s):
    1. Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.
    2. Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.
    3. Other browsers: Please help us out by providing instructions.
  2. Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.
  3. Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.

Exporting the Digicert certificate

If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.

See Exporting a client certificate for detailed instructions on how to export a Digicert certificate from the most popular browsers.

Adding certificate to OS certificate store

Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.

Windows: FIXME: Investigate and update instructions accordingly.

Using the certificate with grid tools

To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.

See Preparing a client certificate for detailed instructions on how to prepare an exported certificate for use with grid tools.

< Grid certificates

Personal tools
Namespaces
Variants
Actions
People
For Staff
Toolbox