https://docs.snic.se/w/api.php?action=feedcontributions&user=Thomas+Bellman+%28NSC%29&year=&month=&feedformat=atomSNIC Documentation - User contributions [en]2024-03-28T20:37:04ZUser contributionsMediaWiki 1.31.10https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate&diff=8031Requesting a grid certificate2023-02-27T15:40:50Z<p>Thomas Bellman (NSC): Point to specific page at docs.swestore.se; don't force users to search</p>
<hr />
<div>This page has been moved to the [https://docs.swestore.se/access/certificates/ Swestore documentation].</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7900Requesting a grid certificate using the Sectigo SSO Portal2022-05-31T12:24:40Z<p>Thomas Bellman (NSC): Note selecting correct certificate profile as being important (common mistake by users).</p>
<hr />
<div>== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below).<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck.<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side.<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser.<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal ('''very important''').<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = Key Generation.<br />
* Select Key Type with appropriate key length. "RSA-2048" is usually good enough.<br />
* Provide a password that will be used to encrypt the PKCS#12 file you get back.<br />
* Check the "I have read and agree to the terms of the EULA" checkbox.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side.<br />
* If there is a technical reason that needs the key to be genereated locally.<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal ('''very important''').<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = CSR.<br />
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below.<br />
* Check the "I have read and agree to the terms of the EULA" checkbox.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
''2022-05-02 Very are rather sure that the behaviour for some time now has instead been to automatically revoke older certificates to keep the window to two certificates (the most recent ones) per certificate profile.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem.<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem.<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users.<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Failed verification<br />
<br />
* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7899Requesting a grid certificate using the Sectigo SSO Portal2022-05-31T12:21:04Z<p>Thomas Bellman (NSC): EULA is a checkbox *before* the Submit button.</p>
<hr />
<div>== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below).<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck.<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side.<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser.<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = Key Generation.<br />
* Select Key Type with appropriate key length. "RSA-2048" is usually good enough.<br />
* Provide a password that will be used to encrypt the PKCS#12 file you get back.<br />
* Check the "I have read and agree to the terms of the EULA" checkbox.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side.<br />
* If there is a technical reason that needs the key to be genereated locally.<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = CSR.<br />
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below.<br />
* Check the "I have read and agree to the terms of the EULA" checkbox.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
''2022-05-02 Very are rather sure that the behaviour for some time now has instead been to automatically revoke older certificates to keep the window to two certificates (the most recent ones) per certificate profile.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem.<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem.<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users.<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Failed verification<br />
<br />
* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7898Requesting a grid certificate using the Sectigo SSO Portal2022-05-31T12:18:33Z<p>Thomas Bellman (NSC): Improved wording.</p>
<hr />
<div>== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below).<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck.<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side.<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser.<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = Key Generation.<br />
* Select Key Type with appropriate key length. "RSA-2048" is usually good enough.<br />
* Provide a password that will be used to encrypt the PKCS#12 file you get back.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side.<br />
* If there is a technical reason that needs the key to be genereated locally.<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = CSR.<br />
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
''2022-05-02 Very are rather sure that the behaviour for some time now has instead been to automatically revoke older certificates to keep the window to two certificates (the most recent ones) per certificate profile.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem.<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem.<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users.<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Failed verification<br />
<br />
* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7897Requesting a grid certificate using the Sectigo SSO Portal2022-05-31T12:17:31Z<p>Thomas Bellman (NSC): Recommend RSA-2048 as key type for server-side key generation.</p>
<hr />
<div>== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below).<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck.<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side.<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser.<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = Key Generation.<br />
* Select Key Type with appropriate key length. "RSA-2048" is usually good enough.<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side.<br />
* If there is a technical reason that needs the key to be genereated locally.<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = CSR.<br />
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
''2022-05-02 Very are rather sure that the behaviour for some time now has instead been to automatically revoke older certificates to keep the window to two certificates (the most recent ones) per certificate profile.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem.<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem.<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users.<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Failed verification<br />
<br />
* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7896Requesting a grid certificate using the Sectigo SSO Portal2022-05-31T12:14:25Z<p>Thomas Bellman (NSC): Typo fix.</p>
<hr />
<div>== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below).<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck.<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side.<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser.<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = Key Generation.<br />
* Select Key Type with appropriate number of bits.<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side.<br />
* If there is a technical reason that needs the key to be genereated locally.<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = CSR.<br />
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
''2022-05-02 Very are rather sure that the behaviour for some time now has instead been to automatically revoke older certificates to keep the window to two certificates (the most recent ones) per certificate profile.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem.<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem.<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users.<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Failed verification<br />
<br />
* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7895Requesting a grid certificate using the Sectigo SSO Portal2022-05-31T12:13:55Z<p>Thomas Bellman (NSC): End sentences in list items with a period, as sentences should be.</p>
<hr />
<div>== Preparations ==<br />
<br />
Two requirements needs to be fulfilled in order to be able to request a grid (aka eScience) certificate:<br />
* Your organization must be set up to allow this (see [[#Organization Support]] below).<br />
** A tool for testing this is the Sectigo SSO check page on https://cert-manager.com/customer/sunet/ssocheck.<br />
* Your identity must fulfill the requirements for requesting personal certificates, within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher.<br />
** Enabling this only needs to be done once. Routines for this vary among organizations, it typically involves visiting a helpdesk to show an identity document to verify your identity.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading ''Digital Certificate Enrollment''.<br />
<br />
A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see [[#Preparations]] above.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side.<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser.<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = Key Generation.<br />
* Select Key Type with approproate number of bits.<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side.<br />
* If there is a technical reason that needs the key to be genereated locally.<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal.<br />
* Select Term 395 days (should be the only option).<br />
* Select Enrollment Method = CSR.<br />
* Use "Choose File" to upload the usercert_request.pem file you created above or paste it into the box below.<br />
* Click the SUBMIT button and accept the click-through license.<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
''2022-05-02 Very are rather sure that the behaviour for some time now has instead been to automatically revoke older certificates to keep the window to two certificates (the most recent ones) per certificate profile.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem.<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem.<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users.<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
== Appendix ==<br />
=== Organization Support ===<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo.<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Failed verification<br />
<br />
* Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at [https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal here] and they are welcome to contact tcs@sunet.se to get help with the setup.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate&diff=7874Requesting a grid certificate2022-05-02T07:40:26Z<p>Thomas Bellman (NSC): "Vendor-neutral" page for requesting grid certificates, redirecting to the current vendor-specific page.</p>
<hr />
<div>#REDIRECT [[Requesting a grid certificate using the Sectigo SSO Portal]]<br />
<br />
To request a grid certificate, follow the instructions on the page for the current provider of certificates linked to above.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=User_talk:Peter_Larsson_(NSC)&diff=7802User talk:Peter Larsson (NSC)2021-04-22T15:09:06Z<p>Thomas Bellman (NSC): Thomas Bellman (NSC) moved page User talk:Peter Larsson (NSC) to User talk:Peter Larsson (PDC): Automatically moved page while renaming the user "Peter Larsson (NSC)" to "[[User:Peter Larsson (PDC)|Peter Larsson (PD...</p>
<hr />
<div>#REDIRECT [[User talk:Peter Larsson (PDC)]]</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=User:Peter_Larsson_(PDC)&diff=7799User:Peter Larsson (PDC)2021-04-22T15:09:06Z<p>Thomas Bellman (NSC): Thomas Bellman (NSC) moved page User:Peter Larsson (NSC) to User:Peter Larsson (PDC): Automatically moved page while renaming the user "Peter Larsson (NSC)" to "Peter Larsson (PDC)"</p>
<hr />
<div>{{application expert info<br />
|first name=Peter<br />
|last name=Larsson<br />
|centre=NSC<br />
|fields=Computational materials science<br />
|fte=20<br />
|snic ae financing=0<br />
|other ae financing=<br />
|financing=SeRC/SNIC<br />
|general activities=Application support;Testing & Quality Assurance;Benchmarking<br />
|other activities=Development of ab initio workflow tools; Coordinating technical documentation at NSC;<br />
|image=Pla-110x160.jpg<br />
|office=Room 273, House G; Linköpings universitet; SE-581 83 Linköping <br />
|start date=<br />
|end date=<br />
|is active=no<br />
}}<br />
<br />
== Quick facts ==<br />
* PhD in Physics (ab initio calculations) from Uppsala University in 2009.<br />
* Works at NSC since May 2011.<br />
* '''Note: Peter effectively retired as application expert since 2015. He is now partner manager at NSC, where he develops NSC’s external collaborations with non-academic customers, such as the Swedish Met Office (SMHI) and Saab.'''<br />
<br />
== Expertise ==<br />
* [[expertise::VASP]]<br />
* C++/Python programming<br />
<br />
== Blog ==<br />
<br />
I publish some of my findings from benchmarking and testing on my blog at NSC:<br />
<br />
[http://www.nsc.liu.se/~pla http://www.nsc.liu.se/~pla]<br />
<br />
<!-- == Projects == --><br />
{{#set:project=[[Test suite for VASP]]}}<br />
<br />
== Projects ==<br />
* [[project::Test suite for VASP]]<br />
* [[project::Comparative study of major ab initio software for materials science]]</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=User_talk:Peter_Larsson_(PDC)&diff=7801User talk:Peter Larsson (PDC)2021-04-22T15:09:06Z<p>Thomas Bellman (NSC): Thomas Bellman (NSC) moved page User talk:Peter Larsson (NSC) to User talk:Peter Larsson (PDC): Automatically moved page while renaming the user "Peter Larsson (NSC)" to "[[User:Peter Larsson (PDC)|Peter Larsson (PD...</p>
<hr />
<div>This page is intended for informal discussion. Please feel free to use this page to contact me for anything related to my research area or expertises! This page uses the [[Help:Editing|mediawiki text format]], just like all other pages on this wiki. Order and structure are not really that important on this page, but please try to keep your additions constructive and readable. It is however recommended to start a new heading for every new topic, and to mark your additions with your signature (there is a button for that just on top of the editing area). <br />
<br />
This page will be moderated from time to time, and topics of general interest may be moved to any of the relevant articles. <br />
<br />
Please click any of the Edit links to start talking! <br />
<br />
== Talk ==<br />
<br />
--[[User:Peter Larsson (NSC)|Peter Larsson (NSC)]]: Comments, suggestions and ideas are all welcome!</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=User:Peter_Larsson_(NSC)&diff=7800User:Peter Larsson (NSC)2021-04-22T15:09:06Z<p>Thomas Bellman (NSC): Thomas Bellman (NSC) moved page User:Peter Larsson (NSC) to User:Peter Larsson (PDC): Automatically moved page while renaming the user "Peter Larsson (NSC)" to "Peter Larsson (PDC)"</p>
<hr />
<div>#REDIRECT [[User:Peter Larsson (PDC)]]</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Sectigo_SSO_Portal&diff=7498Requesting a grid certificate using the Sectigo SSO Portal2020-05-05T14:39:39Z<p>Thomas Bellman (NSC): Fix heading levels ("=" to "==", "==" to "===", et.c)</p>
<hr />
<div>== Organization Support ==<br />
<br />
The TCS service has changed backend provider from DigiCert to Sectigo. This page describes how to get a certificate from 2020-05-01 (and before that for testing).<br />
<br />
This section documents organizations known to have done all the setup required to enable this for their users:<br />
<br />
* Chalmers Tekniska Högskola (verified OK 2020-04-27 by Mathias L at C3SE)<br />
* Kungliga Tekniska högskolan (verified OK 2020-04-28 by Lilit A at PDC)<br />
* Linköpings universitet (verified OK 2020-04-24 by Kent E and colleagues at NSC)<br />
* Lunds universitet (verified OK 2020-04-28 by Anders A and Magnus U at Lunarc)<br />
* Umeå universitet (verified OK 2020-04-27 by Erik A at HPC2N)<br />
* Uppsala universitet (verified OK 2020-04-28 by Daniel K at UPPMAX)<br />
<br />
Instructions aimed at your local organization's TCS and IdP administrators are found at https://wiki.sunet.se/display/TCS/SUNET+TCS+2020-+Information+for+administrators#SUNETTCS2020-Informationforadministrators-ConfiguringyourIdPandtheSCMtoenabletheportal and they are welcome to contact tcs@sunet.se to get help with the setup.<br />
<br />
== Requesting a certificate ==<br />
<br />
You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.<br />
<br />
If you login and you organization is set up correctly, you will get to a page with the heading "Digital Certificate Enrollment".<br />
<br />
FIXME: Discuss error messages you can get at this point.<br />
<br />
To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.<br />
<br />
=== Requesting a certificate using a locally generated key and CSR ===<br />
<br />
Use this method:<br />
<br />
* If there is a policy reason for you to refuse to have the key generated on the server side<br />
* If there is a technical reason that needs the key to be genereated locally<br />
<br />
To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:<br />
<br />
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
<br />
Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Upload CSR<br />
* Use "Choose File" to upload the usercert_request.pem file you created above<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.<br />
<br />
=== Requesting a certificate with server-side generation of key ===<br />
<br />
Use this method:<br />
<br />
* If you can accept that the key is generated on the server side<br />
* If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser<br />
<br />
To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and<br />
<br />
* Select Certificate Profile = GÉANT IGTF-MICS Personal<br />
* Select Private Key = Generate RSA<br />
* Provide the P12 Password that will be used to encrypt the PKCS#12 file you get back<br />
* Click the SUBMIT button and accept the click-through license<br />
<br />
After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.<br />
<br />
=== Hitting the maximum number of valid certs ===<br />
<br />
If you get the error message "Sectigo Certificate Manager enrollment request failed. Please contact your security administrator." when you have clicked the SUBMIT button and accepted the click-through license, it may be because you have hit the limit of two valid certificates per identity and certificate profile. Ask your local certificate administrators at your organization to revoke one of your existing certificates. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.<br />
<br />
''2020-04-27 This behaviour will also be reported as a bug to Sectigo to ask them to handle this in a smoother way.''<br />
<br />
== Using the certificate ==<br />
<br />
=== Using the certificate in the web browser ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser. If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:<br />
<br />
openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12<br />
<br />
To import the certs.p12 file into your web browser:<br />
<br />
* Firefox: Select Preferences, type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'certs.p12' file created above, provide the password. You should find you new certificate listed in the 'Your Certificates' table.<br />
* Chrome: Select Settings, access the search icon and type 'certificate', click 'Manage certificates' (you may have to click "More" first to see this), click the 'Import' button, select your 'certs.p12' file created above, provide the password. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
* Other browsers: Please help us out by providing instructions.<br />
<br />
=== Using the certificate with grid tools ===<br />
<br />
If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at [[Preparing a client certificate]].<br />
<br />
If you uploaded a CSR and got certs.pem back, you can do it in one of two ways. The first one:<br />
<br />
* Create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at [[Preparing a client certificate]].<br />
<br />
The other more direct alternative:<br />
<br />
* Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem<br />
* Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem<br />
<br />
FIXME: This section needs testing, feedback and updates from people using grid tools and/or staff directly supporting those users<br />
<br />
== Revoking a certificate ==<br />
<br />
Currrently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal&diff=7089Requesting a grid certificate using the Digicert SSO Portal2019-09-26T13:27:26Z<p>Thomas Bellman (NSC): Internal link to "Browser Support" section from reference</p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
[[Grid_certificates|< Grid certificates]]<br />
<br />
= Browser Support =<br />
<br />
Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.<br />
<br />
Thus, to request a certificate directly in the browser, you need to be using one of these:<br />
<br />
* Safari<br />
* Internet Explorer<br />
* Firefox ESR (as long as they are based on Firefox before version 69)<br />
<br />
If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].<br />
<br />
For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]]. <br />
<br />
For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html<br />
<br />
= Set a master password =<br />
<br />
When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.<br />
<br />
Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins<br />
<br />
= Requesting a personal grid certificate directly in the browser =<br />
<br />
# Start a suitable web browser (see [[#Browser Support|Browser Support]] above for details):<br />
## Windows:<br />
### Internet Explorer<br />
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)<br />
## macOS:<br />
### Safari<br />
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)<br />
## Linux/Unix:<br />
### Firefox up to version 68 (obtained certificate is only available to Firefox)<br />
#Go to https://digicert.com/sso<br />
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)<br />
#:[[File:Digicert-idp.png]]<br />
#Login at your home university.<br />
#Select the ''Grid Premium'' product.<br />
#:[[File:Digicert-product-select.png]]<br />
#Normally, leave the CSR field blank to get a key generated in your browser.<br />
#Press "Request Certificate".<br />
#Your certificate is generated and should be automatically imported into your browser.<br />
<br />
= Requesting a personal grid certificate using CSR created outside of the browser =<br />
<br />
# Start a suitable web browser<br />
## Windows:<br />
### Internet Explorer<br />
### Edge<br />
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)<br />
## macOS:<br />
### Safari<br />
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)<br />
## Linux/Unix:<br />
### Firefox (obtained certificate is only available to Firefox)<br />
### Chrome<br />
#Go to https://digicert.com/sso<br />
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.<br />
#:[[File:Digicert-idp.png]]<br />
#Login at your home university.<br />
#Select the ''Grid Premium'' product.<br />
#:[[File:Digicert-product-select.png]]<br />
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:<br />
<br />
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
cat usercert_request.pem<br />
<br />
#Paste the CSR text into the "CSR" text box<br />
#Press "Request Certificate".<br />
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).<br />
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.<br />
<br />
unzip mitt_namn_namne12_foo_se.zip<br />
openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12<br />
<br />
# Import the PKCS#12 file into your browser(s):<br />
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.<br />
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
## Other browsers: ''Please help us out by providing instructions''.<br />
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.<br />
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.<br />
<br />
= Exporting the Digicert certificate =<br />
<br />
If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.<br />
<br />
See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.<br />
<br />
= Adding certificate to OS certificate store =<br />
<br />
Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.<br />
<br />
* [[Add client certificate to keychain on macOS]]<br />
<br />
Windows: '''FIXME: Investigate and update instructions accordingly'''.<br />
<br />
= Using the certificate with grid tools =<br />
<br />
To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.<br />
<br />
See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal&diff=7088Requesting a grid certificate using the Digicert SSO Portal2019-09-26T13:08:27Z<p>Thomas Bellman (NSC): Fix chmod command (should *not* be chown)</p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
[[Grid_certificates|< Grid certificates]]<br />
<br />
= Browser Support =<br />
<br />
Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.<br />
<br />
Thus, to request a certificate directly in the browser, you need to be using one of these:<br />
<br />
* Safari<br />
* Internet Explorer<br />
* Firefox ESR (as long as they are based on Firefox before version 69)<br />
<br />
If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].<br />
<br />
For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]]. <br />
<br />
For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html<br />
<br />
= Set a master password =<br />
<br />
When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.<br />
<br />
Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins<br />
<br />
= Requesting a personal grid certificate directly in the browser =<br />
<br />
# Start a suitable web browser (see Browser Support above for details):<br />
## Windows:<br />
### Internet Explorer<br />
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)<br />
## macOS:<br />
### Safari<br />
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)<br />
## Linux/Unix:<br />
### Firefox up to version 68 (obtained certificate is only available to Firefox)<br />
#Go to https://digicert.com/sso<br />
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)<br />
#:[[File:Digicert-idp.png]]<br />
#Login at your home university.<br />
#Select the ''Grid Premium'' product.<br />
#:[[File:Digicert-product-select.png]]<br />
#Normally, leave the CSR field blank to get a key generated in your browser.<br />
#Press "Request Certificate".<br />
#Your certificate is generated and should be automatically imported into your browser.<br />
<br />
= Requesting a personal grid certificate using CSR created outside of the browser =<br />
<br />
# Start a suitable web browser<br />
## Windows:<br />
### Internet Explorer<br />
### Edge<br />
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)<br />
## macOS:<br />
### Safari<br />
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)<br />
## Linux/Unix:<br />
### Firefox (obtained certificate is only available to Firefox)<br />
### Chrome<br />
#Go to https://digicert.com/sso<br />
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.<br />
#:[[File:Digicert-idp.png]]<br />
#Login at your home university.<br />
#Select the ''Grid Premium'' product.<br />
#:[[File:Digicert-product-select.png]]<br />
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:<br />
<br />
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chmod go= userkey.pem<br />
cat usercert_request.pem<br />
<br />
#Paste the CSR text into the "CSR" text box<br />
#Press "Request Certificate".<br />
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).<br />
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.<br />
<br />
unzip mitt_namn_namne12_foo_se.zip<br />
openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12<br />
<br />
# Import the PKCS#12 file into your browser(s):<br />
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.<br />
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
## Other browsers: ''Please help us out by providing instructions''.<br />
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.<br />
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.<br />
<br />
= Exporting the Digicert certificate =<br />
<br />
If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.<br />
<br />
See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.<br />
<br />
= Adding certificate to OS certificate store =<br />
<br />
Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.<br />
<br />
* [[Add client certificate to keychain on macOS]]<br />
<br />
Windows: '''FIXME: Investigate and update instructions accordingly'''.<br />
<br />
= Using the certificate with grid tools =<br />
<br />
To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.<br />
<br />
See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal&diff=7087Requesting a grid certificate using the Digicert SSO Portal2019-09-26T13:01:23Z<p>Thomas Bellman (NSC): Note slowness of input field for selecting IDP</p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
[[Grid_certificates|< Grid certificates]]<br />
<br />
= Browser Support =<br />
<br />
Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.<br />
<br />
Thus, to request a certificate directly in the browser, you need to be using one of these:<br />
<br />
* Safari<br />
* Internet Explorer<br />
* Firefox ESR (as long as they are based on Firefox before version 69)<br />
<br />
If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].<br />
<br />
For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]]. <br />
<br />
For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html<br />
<br />
= Set a master password =<br />
<br />
When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.<br />
<br />
Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins<br />
<br />
= Requesting a personal grid certificate directly in the browser =<br />
<br />
# Start a suitable web browser (see Browser Support above for details):<br />
## Windows:<br />
### Internet Explorer<br />
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)<br />
## macOS:<br />
### Safari<br />
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)<br />
## Linux/Unix:<br />
### Firefox up to version 68 (obtained certificate is only available to Firefox)<br />
#Go to https://digicert.com/sso<br />
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login. (Note that the page is very slow, and it may take several seconds before what you type is even visible in the input field.)<br />
#:[[File:Digicert-idp.png]]<br />
#Login at your home university.<br />
#Select the ''Grid Premium'' product.<br />
#:[[File:Digicert-product-select.png]]<br />
#Normally, leave the CSR field blank to get a key generated in your browser.<br />
#Press "Request Certificate".<br />
#Your certificate is generated and should be automatically imported into your browser.<br />
<br />
= Requesting a personal grid certificate using CSR created outside of the browser =<br />
<br />
# Start a suitable web browser<br />
## Windows:<br />
### Internet Explorer<br />
### Edge<br />
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)<br />
## macOS:<br />
### Safari<br />
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)<br />
## Linux/Unix:<br />
### Firefox (obtained certificate is only available to Firefox)<br />
### Chrome<br />
#Go to https://digicert.com/sso<br />
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.<br />
#:[[File:Digicert-idp.png]]<br />
#Login at your home university.<br />
#Select the ''Grid Premium'' product.<br />
#:[[File:Digicert-product-select.png]]<br />
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:<br />
<br />
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chown go= userkey.pem<br />
cat usercert_request.pem<br />
<br />
#Paste the CSR text into the "CSR" text box<br />
#Press "Request Certificate".<br />
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).<br />
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.<br />
<br />
unzip mitt_namn_namne12_foo_se.zip<br />
openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12<br />
<br />
# Import the PKCS#12 file into your browser(s):<br />
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.<br />
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
## Other browsers: ''Please help us out by providing instructions''.<br />
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.<br />
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.<br />
<br />
= Exporting the Digicert certificate =<br />
<br />
If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.<br />
<br />
See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.<br />
<br />
= Adding certificate to OS certificate store =<br />
<br />
Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.<br />
<br />
* [[Add client certificate to keychain on macOS]]<br />
<br />
Windows: '''FIXME: Investigate and update instructions accordingly'''.<br />
<br />
= Using the certificate with grid tools =<br />
<br />
To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.<br />
<br />
See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=Requesting_a_grid_certificate_using_the_Digicert_SSO_Portal&diff=7086Requesting a grid certificate using the Digicert SSO Portal2019-09-26T12:57:42Z<p>Thomas Bellman (NSC): Minor rewording</p>
<hr />
<div>[[Category:Grid computing]]<br />
[[Category:SweGrid user guide]]<br />
[[Category:Swestore]]<br />
[[Category:Swestore user guide]]<br />
[[Grid_certificates|< Grid certificates]]<br />
<br />
= Browser Support =<br />
<br />
Browser support for the <keygen> feature used to request and receive certificates directly in the browser is fading away. Google Chrome removed it in 2017 and Firefox removed it in 2019 (from version 69). Microsoft Edge has never supported it. Safari still supports it (as of September 2019), and Internet Explorer has another mechanism available that provides the same feature.<br />
<br />
Thus, to request a certificate directly in the browser, you need to be using one of these:<br />
<br />
* Safari<br />
* Internet Explorer<br />
* Firefox ESR (as long as they are based on Firefox before version 69)<br />
<br />
If that is your case, you can [[#Requesting_a_personal_grid_certificate_directly_in_the_browser|follow the simpler instructions below]].<br />
<br />
For other browsers you need to [[#Requesting_a_personal_grid_certificate_using_CSR_created_outside_of_the_browser|follow the more complex instructions below]]. <br />
<br />
For some background, see https://knowledge.digicert.com/generalinformation/keygenfirefox.html<br />
<br />
= Set a master password =<br />
<br />
When using Firefox, or any browser on Linux/Unix, it is highly recommended to use a Master Password to protect stored logins and passwords.<br />
<br />
Instructions for Firefox: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins<br />
<br />
= Requesting a personal grid certificate directly in the browser =<br />
<br />
# Start a suitable web browser (see Browser Support above for details):<br />
## Windows:<br />
### Internet Explorer<br />
### Firefox up to version 68 (does not use OS certificate store, obtained certificate is only available to Firefox)<br />
## macOS:<br />
### Safari<br />
### Firefox up to version 68 (does not use OS Keychain, obtained certificate is only available to Firefox)<br />
## Linux/Unix:<br />
### Firefox up to version 68 (obtained certificate is only available to Firefox)<br />
#Go to https://digicert.com/sso<br />
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.<br />
#:[[File:Digicert-idp.png]]<br />
#Login at your home university.<br />
#Select the ''Grid Premium'' product.<br />
#:[[File:Digicert-product-select.png]]<br />
#Normally, leave the CSR field blank to get a key generated in your browser.<br />
#Press "Request Certificate".<br />
#Your certificate is generated and should be automatically imported into your browser.<br />
<br />
= Requesting a personal grid certificate using CSR created outside of the browser =<br />
<br />
# Start a suitable web browser<br />
## Windows:<br />
### Internet Explorer<br />
### Edge<br />
### Firefox (does not use OS certificate store, obtained certificate is only available to Firefox)<br />
## macOS:<br />
### Safari<br />
### Firefox (does not use OS Keychain, obtained certificate is only available to Firefox)<br />
## Linux/Unix:<br />
### Firefox (obtained certificate is only available to Firefox)<br />
### Chrome<br />
#Go to https://digicert.com/sso<br />
#Type the first characters of your university (or similar) and then select the Identity Provider to use for login.<br />
#:[[File:Digicert-idp.png]]<br />
#Login at your home university.<br />
#Select the ''Grid Premium'' product.<br />
#:[[File:Digicert-product-select.png]]<br />
# Generate a CSR using 'openssl req' (remember any pass phrase used to encrypt the key) and display the CSR:<br />
<br />
openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'<br />
chown go= userkey.pem<br />
cat usercert_request.pem<br />
<br />
#Paste the CSR text into the "CSR" text box<br />
#Press "Request Certificate".<br />
#Your certificate is generated and you will get to a page listing all you personal certificates. Scroll to the bottom if needed to find the latest one generated now and use the Download button to save the ZIP file (the name of the file depends on your name).<br />
# Unzip the ZIP file and make a PKCS#12 file from its certificate together with the key you generated above, remembering that your exact names for the directory and certificate file will vary. You will need to reenter your key passphrase from above, and then set a new passphrase for the PKCS#12 export file itself.<br />
<br />
unzip mitt_namn_namne12_foo_se.zip<br />
openssl pkcs12 -export -inkey userkey.pem -in mitt_namn_namne12_foo_se/mitt_namn_namne12_foo_se.crt -out my_cert.p12<br />
<br />
# Import the PKCS#12 file into your browser(s):<br />
## Firefox: Select ''Preferences'', type 'certificate' in the search box, click button 'View Certificates', click button 'Import', select your 'my_cert.p12' file created above, provide the passphrase. You should find you new certificate listed in the 'Your Certificates' table.<br />
## Chrome: Select ''Settings'', access the search icon and type 'certificate', click 'Manage certificates', click the 'Import' button, select your 'my_cert.p12' file created above, provide the passphrase. You should find your new certificate listed on the page, after unfolding the right organization heading.<br />
## Other browsers: ''Please help us out by providing instructions''.<br />
# Quit your web browser, start it again, try accessing a site protected by your grid certificate (making sure you select the new certificate) and verify that it works.<br />
# Remove the userkey.pem and my_cert.p12 files (or take care of them in some other good way) as they do contain your private key.<br />
<br />
= Exporting the Digicert certificate =<br />
<br />
If you need to use the certificate with other programs it needs to be exported to a file and imported where appropriate.<br />
<br />
See [[Exporting a client certificate]] for detailed instructions on how to export a Digicert certificate from the most popular browsers.<br />
<br />
= Adding certificate to OS certificate store =<br />
<br />
Some operating systems have a built in keychain/keystore. If Firefox was used the certificate needs to be imported to keychain/keystore in order to be available for other programs.<br />
<br />
* [[Add client certificate to keychain on macOS]]<br />
<br />
Windows: '''FIXME: Investigate and update instructions accordingly'''.<br />
<br />
= Using the certificate with grid tools =<br />
<br />
To use the Digicert certificates with the ARC grid client they have to be exported from the browser into a file and then converted into a suitable format.<br />
<br />
See [[Preparing a client certificate]] for detailed instructions on how to prepare an exported certificate for use with grid tools.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=File:Thomas_bellman_column_output.py&diff=3251File:Thomas bellman column output.py2012-01-11T16:21:41Z<p>Thomas Bellman (NSC): A Python class to help in creating output in nice columns.</p>
<hr />
<div>A Python class to help in creating output in nice columns.</div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=User:Torben_Rasmussen_(NSC)/SweGrid_old/Grid_certificates&diff=360User:Torben Rasmussen (NSC)/SweGrid old/Grid certificates2011-04-09T13:43:31Z<p>Thomas Bellman (NSC): An -> A</p>
<hr />
<div>A certificate is the equivalent of a passport in real-life. In the same way you have prove your credentials when you aquire a passport the same is true for a certificate. A Certificate Authority (CA) has to vouch for your identity and sign your certificate.<br />
<br />
A certificate consist of 2 parts a private key and a public key. The private is your secret and should be kept as secure as possible. The public key is used to verify signatures are signed with your private key for the receiving part. The public part is also used to verify that the certficate is correct when you have the public part of the CA certificate.<br />
<br />
For more information regarding certificates and public key cryptography: [http://en.wikipedia.org/wiki/Public-key_cryptography [http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Public-key_cryptography]] [http://en.wikipedia.org/wiki/Public_key_certificate [http://en.wikipedia.org/wiki/Public_key_certificate http://en.wikipedia.org/wiki/Public_key_certificate]]<br />
<br />
== Requesting a certificate with ARC tools ==<br />
<br />
The first step in aquiring a certificate is to create a certificate request. This is done using the '''grid-cert-request -int''' command. (The -int options means interactive usage). When issued, the tool will generate a certificate request and a private key. The tool will also ask for a password to protect the private key. Note, if the password is lost a new certificate must be obtained. The process is shown below:<br />
<br />
First the private key is generated:<br />
<br />
<pre>$ grid-cert-request -int<br />
A certificate request and private key is being created.<br />
You will be asked to enter a PEM pass phrase.<br />
This pass phrase is akin to your account password,<br />
and is used to protect your key file.<br />
If you forget your pass phrase, you will need to<br />
obtain a new certificate.<br />
<br />
Using configuration from /etc/grid-security/globus-user-ssl.conf<br />
Generating a 1024 bit RSA private key<br />
.....................................++++++<br />
....................++++++<br />
writing new private key to '/home/jonas/.globus/userkey.pem'</pre><br />
To protect the private key from unauthorized access it is encrypted using a pass phrase. If this pass phrase is empty, anyone with access to your private key and certificate can gain access to the resources you have been granted. The pass phrase should also be different from your normal login password, so if your local system has been compromised the private key is still protected.:<br />
<br />
<pre>-----<br />
You are about to be asked to enter information that will be<br />
incorporated into your certificate request. What you are about to<br />
enter is what is called a Distinguished Name or a DN. There are<br />
quite a few fields but you can leave some blank For some fields<br />
there will be a default value, If you enter '.', the field will be<br />
left blank.<br />
-----<br />
Level 0 Organization Name (do not modify) [Grid]:<br />
Level 1 Organization Name (do not modify) [NorduGrid]:</pre><br />
The following questions regards your affiliation domain and your email. It is important that your domain and the domain in the email address is the same.:<br />
<br />
<pre>Your Domain [example.org]:mydomain.org<br />
Name (e.g., Hans Christian Andersen) []:Joe User<br />
Email address (e.g., h.c.andersen@example.org) []:joe.user@<br />
mydomain.org</pre><br />
Finally the private key and a certificate request are generated.:<br />
<br />
<pre>A private key and a certificate request has been generated with<br />
the subject:<br />
<br />
/O=Grid/O=NorduGrid/OU=mydomain.org/CN=Joe User/Email=joe.user@<br />
mydomain.org<br />
<br />
If the CN=Joe User/Email=joe.user@mydomain.org is not appropriate,<br />
rerun this script with the -force -cn &quot;Common Name&quot; options.<br />
<br />
Your private key is stored in /home/joe/.globus/userkey.pem<br />
Your request is stored in /home/joe/.globus/usercert_request.pem<br />
<br />
Please e-mail the request to the NorduGrid Certification Authority<br />
ca@nbi.dk You may use a command similar to the following:<br />
<br />
cat /home/jonas/.globus/usercert_request.pem | mail ca@nbi.dk<br />
<br />
Only use the above if this machine can send AND receive e-mail. if<br />
not, please mail using some other method.<br />
<br />
Your certificate will be mailed to you within two working days. If<br />
you receive no response, contact NorduGrid Certification Authority<br />
at ca@nbi.dk</pre><br />
The result of the command are 3 files '''userkey.pem''' , '''usercert.pem''' and '''usercert_request.pem''' in a subdirectory called '''.globus''' in the user home directory. The '''userkey.pem''' your private key and should not be world readable. This can be achieved by using '''chmod 400 userkey.pem'''.<br />
<br />
The contents of the '''usercert_request.pem''' should be sent by mail to you neareast Registration Authority (RA) by mail. The RA will verify your request and varify your identity. This can involve meeting with the RA and proving your identity with a passport or equivalent documents. The current list of RA:s can be found at the following page:<br />
<br />
[http://ca.nordugrid.org/ra.html [http://ca.nordugrid.org/ra.html http://ca.nordugrid.org/ra.html]]<br />
<br />
== Installing certificate ==<br />
<br />
When the signed certificate is received from the CA it has to be added to the '''usercert.pem''' file in the '''.globus''' directory.<br />
<br />
The important parts of the mail are shown below::<br />
<br />
<pre>-----BEGIN CERTIFICATE-----<br />
xasdj ...<br />
-----END CERTIFICATE-----</pre><br />
Copy the part shown above into the file <tt>usercert.pem</tt> in the <tt>.globus</tt> directory in your home directory.<br />
<br />
== Verifying the certificate ==<br />
<br />
To verify that the certificate is correctly installed, issue the following command::<br />
<br />
<pre>$ grid-cert-info -subject<br />
/O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann</pre><br />
This should display your Distinguished Name (DN) of the installed certificate.<br />
<br />
== Checking certificate expiration ==<br />
<br />
To check the expiration date of a certifcate, issue the following command::<br />
<br />
<pre>$ grid-cert-info -enddate<br />
Mar 18 15:10:41 2011 GMT</pre><br />
<br />
= Proxy certificates =<br />
<br />
Authentication on the grid is done by using special shortlived proxy certificates, which delegate authentication to specific resources.<br />
<br />
== Creating a proxy certificate ==<br />
<br />
To create a shortlived proxy that can be used for authentication with grid services, the '''grid-proxy-init''' command can be used. A 12 hour (default) proxy is created in the following example::<br />
<br />
<pre>$ grid-proxy-init <br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
Enter GRID pass phrase for this identity:<br />
Creating proxy .................................................... Done<br />
Your proxy is valid until: Tue Jan 25 01:22:59 2011</pre><br />
The proxy file itself will be created in the <tt>/tmp</tt> directory with the format <tt>x509up_[uid]</tt>, where uid is the userid number for your user account.<br />
<br />
In some cases a longer lived proxy will be needed. This is achieved using the '''-valid''' switch. A 24-hour can be created by issuing the following command:<br />
<br />
<pre>[jonas@localhost ~]$ grid-proxy-init -valid 24:00<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
Enter GRID pass phrase for this identity:<br />
Creating proxy ................................................... Done<br />
Your proxy is valid until: Thu Feb 10 18:48:34 2011 </pre><br />
<br />
== Checking proxy lifetime ==<br />
<br />
The remaining lifetime of a proxy-certificate can be queried using the '''grid-proxy-info''' command:<br />
<br />
<pre>$ grid-proxy-info<br />
subject : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=704530122<br />
issuer : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
identity : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
type : RFC 3820 compliant impersonation proxy<br />
strength : 512 bits<br />
path : /tmp/x509up_u500<br />
timeleft : 0:00:00</pre><br />
In this case the proxy has expired. Creating a new proxy-certificate with the '''grid-proxy-init''' command produces the following output from '''grid-proxy-info''':<br />
<br />
<pre>$ grid-proxy-info<br />
subject : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=1908712807<br />
issuer : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
identity : /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
type : RFC 3820 compliant impersonation proxy<br />
strength : 512 bits<br />
path : /tmp/x509up_u500<br />
timeleft : 11:59:55</pre><br />
Which shows that the proxy certificate is valid for 11 hours 59 minutes.<br />
<br />
== Destroying a proxy certificate ==<br />
<br />
A proxy certificate can be destroyed using the '''grid-proxy-destroy''' command. This command will essentially just delete the temporary proxy file created with '''grid-proxy-init'''<br />
<br />
== Creating a proxy certificate (ARC 1.x) ==<br />
<br />
To create a shortlived proxy that can be used for authentication with grid services, the '''arcproxy''' command can be used. A 12 hour (default) proxy is created in the following example::<br />
<br />
<pre><br />
[jonas@localhost ~]$ arcproxy<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
Enter pass phrase for /home/jonas/.globus/userkey.pem:<br />
.++++++<br />
.....++++++<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2011-03-11 03:00:14<br />
</pre><br />
<br />
The proxy file itself will be created in the '''/tmp''' directory with the format '''x509up_[uid]''', where uid is the userid number for your user account.<br />
<br />
In some cases a longer lived proxy will be needed. This is achieved using the '''--constraint''' switch. A 24-hour can be created by issuing the following command:<br />
<br />
<pre><br />
[jonas@localhost ~]$ arcproxy --constraint="validityPeriod=24H"<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
Enter pass phrase for /home/jonas/.globus/userkey.pem:<br />
....++++++<br />
.....++++++<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2011-03-11 15:03:19<br />
</pre><br />
<br />
'''NOTE:''' When using ARC 0.8.x a GSI proxy is required. To generate a GSI proxy, the '''--old''' or '''-O''' switches can be used:<br />
<br />
<pre><br />
[jonas@localhost ~]$ arcproxy -O<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
Enter pass phrase for /home/jonas/.globus/userkey.pem:<br />
................++++++<br />
......++++++<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2011-03-11 03:15:04<br />
</pre><br />
<br />
== Checking proxy lifetime (ARC 1.x) ==<br />
<br />
The remaining lifetime of a proxy-certificate can be queried using the '''arcproxy''' command using the '''--info''' switch.<br />
<br />
<pre><br />
$ arcproxy --info<br />
[jonas@localhost ~]$ arcproxy --info<br />
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=1567862803<br />
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
Time left for proxy: 11 hours 55 minutes<br />
Proxy path: /tmp/x509up_u500<br />
Proxy type: X.509 Proxy Certificate Profile RFC compliant restricted proxy<br />
</pre><br />
<br />
Which shows that the proxy certificate is valid for 11 hours 59 minutes.<br />
<br />
If a GSI proxy was generated the output would be:<br />
<br />
<pre><br />
[jonas@localhost ~]$ arcproxy --info<br />
Subject: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann/CN=proxy<br />
Identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
Time left for proxy: 11 hours 54 minutes 57 seconds<br />
Proxy path: /tmp/x509up_u500<br />
Proxy type: Legacy Globus impersonation proxy<br />
</pre><br />
<br />
== Destroying a proxy certificate (ARC 1.x) ==<br />
<br />
ARC 1.x does not have a explicit command for destroying a proxy.<br />
<br />
= VOMS certificates =<br />
<br />
To use the SweStore national storage resources a membership in a virtual organisation, VO, is required. When accessing the storage resources a special grid proxy certificate is required which indicates VO membership. The special proxy certificate requires that it is signed by the virtual organisation management server, VOMS. To enable this signing process, configuration files have to be added to the system. First a '''$HOME/.voms/vomses''' file with the following contents must be added:<br />
<br />
<pre>"swegrid.se" "voms.ndgf.org" "15009" "/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org" "swegrid.se"</pre><br />
<br />
Next the file '''/etc/grid-security/vomsdir/swegrid.se/voms.ndgf.org.lsc''' with the following contents:<br />
<br />
<pre>/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org<br />
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority</pre><br />
<br />
== Creating a VOMS proxy (ARC 0.8.x) ==<br />
<br />
To create a proxy certificate the, '''voms-proxy-init''', command is used. In the following example a voms proxy certificate is created with membership in the '''ops''' group.<br />
<br />
<pre><br />
[jonas@localhost ~]$ voms-proxy-init -voms swegrid.se:/swegrid.se/ops<br />
<br />
Enter GRID pass phrase:<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
Creating temporary proxy ............................................................. Done<br />
Contacting voms.ndgf.org:15009 [/O=Grid/O=NorduGrid/CN=host/voms.ndgf.org] "swegrid.se" Done<br />
Creating proxy .......................................................... Done<br />
Your proxy is valid until Thu Mar 10 23:14:57 2011<br />
</pre><br />
<br />
== Creating a VOMS proxy (ARC 1.x) ==<br />
<br />
VOMS proxies in ARC 1.x can be created using the '''arcproxy''' command and the '''-S''' or '''--voms''' switches as shown in the following example:<br />
<br />
<pre><br />
[jonas@localhost ~]$ arcproxy -S swegrid.se:/swegrid.se/ops<br />
Your identity: /O=Grid/O=NorduGrid/OU=lunarc.lu.se/CN=Jonas Lindemann<br />
Enter pass phrase for /home/jonas/.globus/userkey.pem:<br />
.....++++++<br />
............++++++<br />
Contacting VOMS server (named swegrid.se): voms.ndgf.org on port: 15009<br />
Proxy generation succeeded<br />
Your proxy is valid until: 2011-03-10 23:33:06<br />
</pre></div>Thomas Bellman (NSC)https://docs.snic.se/w/index.php?title=MediaWiki:Sidebar&diff=240MediaWiki:Sidebar2011-03-02T13:52:14Z<p>Thomas Bellman (NSC): </p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** SGUSI|SGUSI<br />
** portal-url|portal<br />
** currentevents-url|currentevents<br />
** recentchanges-url|recentchanges<br />
** randompage-url|randompage<br />
** helppage|help<br />
* SEARCH<br />
* TOOLBOX<br />
* LANGUAGES</div>Thomas Bellman (NSC)