Difference between revisions of "Preparing a client certificate"

From SNIC Documentation
Jump to: navigation, search
(Created page with "Most of the standalone third party tools installed on SNIC resources and your own machine will not be able to use a <tt>.p12</tt> certificate bundle, as that format is intended p...")
 
Line 1: Line 1:
Most of the standalone third party tools installed on SNIC resources and your own machine will not be able to use a <tt>.p12</tt> certificate bundle, as that format is intended primarily for secure transport and backup of certificates and their private keys.
+
Most of the standalone third party tools installed on SNIC resources and your own machine will not be able to use a <tt>.p12</tt> certificate bundle (or <tt>.pfx</tt> if you exported from IE), as that format is intended primarily for secure transport and backup of certificates and their private keys.
  
 
Instead of a single <tt>.p12</tt> file, they expect a pair of files in <tt>.pem</tt> format, one containing the certificate and the other containing the private key that matches the certificate.
 
Instead of a single <tt>.p12</tt> file, they expect a pair of files in <tt>.pem</tt> format, one containing the certificate and the other containing the private key that matches the certificate.
  
== Uploading the .p12 to your target machine ==
+
== Uploading and conversion of the .p12 for your target machine ==
  
== Prepare .globus directory in home directory ==
+
As the authentication methods for clusters differ, this section will defer to documentations for your particular site when it comes to transferring files to and from the cluster storage.
  
== Make protected .pem files ==
+
The goal is to end up with a <tt>.globus</tt> directory in your home directory, containing two files named <tt>usercert.pem</tt> and <tt>userkey.pem</tt>.
 +
 
 +
* Transfer the <tt>.p12</tt> file to your home directory on the cluster.
 +
* Get an interactive shell on the login node, via ssh.
 +
* If an .globus directory already exists, rename it with something like
 +
  <tt>mv ~/.globus ~/.globus-old</tt>
 +
* Create the directory with
 +
  <tt>mkdir ~/.globus</tt>
 +
* Run the following commands to extract the components from the <tt>.p12</tt> or <tt>.pfx</tt>, when asked for import password, specify the password specified when exporting the certificate bundle from your brower:
 +
  openssl x509 ..
 +
  openssl x509 ..
 +
 
 +
  chmod 0400 ~/.globus/usercert.pem
 +
  chmod 0400 ~/.globus/userkey.pem

Revision as of 14:02, 15 April 2013

Most of the standalone third party tools installed on SNIC resources and your own machine will not be able to use a .p12 certificate bundle (or .pfx if you exported from IE), as that format is intended primarily for secure transport and backup of certificates and their private keys.

Instead of a single .p12 file, they expect a pair of files in .pem format, one containing the certificate and the other containing the private key that matches the certificate.

Uploading and conversion of the .p12 for your target machine

As the authentication methods for clusters differ, this section will defer to documentations for your particular site when it comes to transferring files to and from the cluster storage.

The goal is to end up with a .globus directory in your home directory, containing two files named usercert.pem and userkey.pem.

  • Transfer the .p12 file to your home directory on the cluster.
  • Get an interactive shell on the login node, via ssh.
  • If an .globus directory already exists, rename it with something like
 mv ~/.globus ~/.globus-old
  • Create the directory with
 mkdir ~/.globus
  • Run the following commands to extract the components from the .p12 or .pfx, when asked for import password, specify the password specified when exporting the certificate bundle from your brower:
 openssl x509 ..
 openssl x509 ..
 chmod 0400 ~/.globus/usercert.pem
 chmod 0400 ~/.globus/userkey.pem