After many many years, the German GridKa Certification Authority (CA) at KIT in Karlsruhe will cease operation at 11 June 2023 as the CA cert ends. As a successor the GÉANT Europe’s leading collaboration on network and related infrastructure and services for the benefit of research and education offers the service Sectigo Certificate Manager to obtain Grid user certificates starting now.
On order to access global Grid resources, users must hold a valid personal Grid user certificate (authentication) AND users must be member of a Virtual Organization (VO) (authorization). A valid Grid user certificate is a prerequisite to request membership in a VO. Users usually have one Grid user certificate. Multiple VO membership is possible.1
A Grid user certificate (format X509) consists of a private key with a private password and a certified public key. The private key and the password is exclusively possessed by the user and is NOT known to the Registration Authority (RA) or Certification Authority (CA) at any stage.
A certificate is valid for one (1) year and can be renewed. Users get notified by the CA via email three (3) weeks before the expiration date. It is strongly recommended to renew the certificate before its expiration.
The certificate can/should be copied to all devices/browsers which need it.
The GÉANT CA is part of The International Grid Trust Federation (IGTF) hence Grid user certificates are accepted by all Grid sites in WLCG. In order to facilitate the request procedure, many institutions in Germany operated Registration Authorities (RA) which take over the necessary paper-work on behalf of the CA.
BUW employees may use their ZIM account to authenticate against GÉANT and request a Grid user certificate. Use the portal Certificate Manager SSO Check to test your account.
Non-BUW users can not use the portal and should rather check with their home institution officials how to proceed.
certs.p12file the User Cert Manager offers you.
openssl pkcs12 -clcerts -nokeys -in certs.p12 -out usercert.pem
openssl pkcs12 -nocerts -in certs.p12 -out userkey.pem.
chmod 400 userkey.pem.
The USERTRUST Networkcertificate authority needs to be trusted for all operations
The USERTRUST Networkblock, select
Edit Trustif for
GEANT eScience Personal CAand ensure, that all trust settings are enabled
org-The USERTRUST Networkand ensure, that for both entries under
⋮→ Edit all trust settings are selected
Exit, respectively, from the browsers’ menues.
Technically a new private/public key pair is created with every renewal.
Preferences -> Privacy & Security -> Certificates -> View Certificates -> Your Certificates (-> Backup)
Download/export the file either form the browser or directly to the ~/.globus/usercert.p12 directory and make sure to safe the old files. Then use openssl to extract ~/.globus/usercert.pem and ~/.globus/userkey.pem. Have your export passphrase at hand!
cd ~/.globus > mv certs.p12 certs.p12.old > mv usercert.pem usercert.pem.old > mv userkey.pem userkey.pem.old > ls -l -r-------- 1 account group 8213 24. Jan 14:36 certs.p12 -r-------- 1 account group 2611 31. Jan 13:40 certs.p12.old > openssl pkcs12 -clcerts -nokeys -in certs.p12 -out usercert.pem > openssl pkcs12 -nocerts -in certs.p12 -out userkey.pem > ls -l -r-------- 1 account group 8213 24. Jan 14:36 certs.p12 -r-------- 1 account group 8213 24. Jan 14:38 usercert.pem -r-------- 1 account group 2611 31. Jan 13:42 userkey.pem
Please make sure your public (usercert.pem) and private (userkey.pem) keys are:
> cd ~/.globus > ls -l ... -r--r--r-- 1 account group 1728 8. Apr 09:36 usercert.pem -r-------- 1 account group 2012 8. Apr 09:36 userkey.pem > openssl x509 -subject -issuer -dates -noout -in usercert.pem subject= /DC=org/DC=terena/DC=tcs/C=DE/O=Bergische Universitaet Wuppertal/CN=Harenberg, Torsten firstname.lastname@example.org issuer= /C=NL/O=GEANT Vereniging/CN=GEANT eScience Personal CA 4 notBefore=Apr 20 00:00:00 2022 GMT notAfter=Apr 20 23:59:59 2023 GMT > openssl x509 -noout -modulus -in usercert.pem | openssl md5 > openssl rsa -noout -modulus -in userkey.pem | openssl md5
A Grid user certificate can be seen as an analogy to a passport, whereas the VO membership compares to a visa. ↩