Requesting a grid certificate using the Sectigo SSO Portal

From SNIC Documentation
Revision as of 09:08, 27 April 2020 by Kent Engström (NSC) (talk | contribs) (Using the certificate in the web browser)
Jump to: navigation, search

Organization Support

The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01.

This section documents organizations known to have done all the setup required to enable this for their users:

  • LiU: verified OK 2020-04-24 by Kent and colleagues at NSC

Requesting a certificate

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".

FIXME: Discuss error messages you can get.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

Requesting a certificate using a locally generated key and CSR

Use this method:

  • If there is a policy reason for you to refuse to have the key generated on the server side
  • If there is a technical reason that needs the key to be genereated locally

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

  • Select Certificate Profile = GÉANT IGTF-MICS Personal
  • Select Private Key = Upload CSR
  • Use "Choose File" to upload the usercert_request.pem file you created above
  • Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

Requesting a certificate with server-side generation of key

Use this method:

  • If you can accept that the key is generated on the server side
  • If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

  • Select Certificate Profile = GÉANT IGTF-MICS Personal
  • Select Private Key = Generate RSA
  • Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back
  • Click the SUBMIT button and accept the click-through license

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

Using the certificate

Using the certificate in the web browser

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

  • Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.
  • Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.
  • Other browsers: Please help us out by providing instructions.

Using the certificate with grid tools