What Is a Grid Certificate?
A Grid certificate is something like a digital identity card for the Grid world – with a Grid certificate, you can prove who you are (authentication). It is issued and digitally signed by a so-called Certification Authority (CA), which guarantees that the bearer of the certificate is really you. To get a Grid certificate, you first have to issue a certificate request. The request is then digitally signed by the Certification Authority and thereby becomes a vaild, trusted certificate.
Technically speaking, a Grid certificate is an X.509-style certificate containing of a private and a public key which makes use of RSA encryption. The certificate itself can be made public, but the corresponding private key must be kept secret! There should be exactly one certificate per human being: No user should own more than one certificate, and no certificate should be used by more than one person.
Getting a Grid Certificate
Paperwork at DESY
Print a paper copy of the DESY Identification Form and fill in the form.
- Get it signed by your supervisor
Send it to UCO
Electronic certificate request
Go to the GridKa-CA website. Fill in the form, selecting “Organization (OU): DESY” and “Request Type: Personal Certificate”.
Final steps (First request and renewal)
Once we have confirmed your indentity (first request only), and you have requested a certificate with GridKa, the DESY Registration Authority will either accept or reject this request. No action from your side is requested, this is usually done within a couple of hours, and you will be notified.
Once the DESY Registration Authority has accepted the request, the Certification Authority (CA) at GridKa will proceed and sign your certificate request. You will be contacted once your certificate is ready for retrieval.
Follow the instructions contained in your notification email. Note: Use the browser used for the certificate request.
You can now use the certificate to authenticate against web servers. For job submission or data management, you must convert your certificate and store it under the $HOME/.globus/ directory. Consult the GridKa help page [ in German / in English ], especially Exporting certificates from your browser and Converting certificates and keys
This documentation and also a FAQ section can be found at the official DESY Grid Computing web page.
Exporting the Certificate from Your Browser
You have to export (called “backup” in Firefox) the certificate and its private key from your browser in order to use it for your Grid activities. In Firefox: “Edit > Preferences > Advanced >Encryption > View Certificates", select the German Grid certificate which should be in the list, "Backup". Export as a p12 file (has to be protected by a password) and convert it with openssl:
openssl pkcs12 -in usercert.p12 -nokeys -clcerts -out usercert.pem openssl pkcs12 -in usercert.p12 -nocerts -out userkey.pem
You should use a secure passphrase to protect your private key! Afterwards the p12 file can be deleted again.
- You will typically have your certificate and its private key stored in your AFS home directory where Unix access permissions do not apply. Nevertheless, the Grid proxy tools will refuse to run if your private key seems to be world-readable, therefore you’ll have to adjust its access permissions:
chmod 400 userkey.pem
Certificates in Your Browser – Important Remark
You should make sure that your web browser only sends your certificate if you acknowledge this. (Heise tells you why.) In Firefox you have to set the option “Edit > Preferences > Advanced > Security > Certificates: When a web site requires a certificate:” to “Ask me every time”.
To check your browser settings, visit a web site which requests user identification. You should see a confirmation dialogue before your certificate is sent to the remote host. You’ll see your name on the web page only if you agree to identify yourself with a certificate.
In case you don't have your .p12 certificate anymore you can regenerate it from the key and cert file:
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercert.p12
Becoming a Member of a Virtual Organisation
A Virtual Organisation (VO) is a user group in the Grid world. As a member of a VO, you are granted access to the Grid resources which are available for that VO (authorisation). The membership in a VO is managed by the so-called VOMS service. To become a member of a VO, you have to submit a membership request to the VOMS (or VOMRS) server. An administrator of the VO will then accept or reject the request.
- Make sure your certificate is installed in your browser.
- Go to the VOMS or VOMRS server of the VO which you’d like to join:
For the VO ilc, go to https://grid-voms.desy.de:8443/voms/ilc/register/start.action
For the VO calice, go to https://grid-voms.desy.de:8443/voms/calice/register/start.action
- Submit a membership request and follow the instructions on the web page.
- Wait until you get a notification via e-mail. You may have to confirm your membership as a last step by following some “secret link”.
To renew your VO membership go to your VO server. Make sure your certificate is installed in your browser. Follow the link "Member Info" and click on "Re-sign the Grid and VO AUPs". You have to accept the Use Policy, and that should be sufficient.
Creating a Proxy Certificate
A proxy certificate is a “working copy” of your Grid certificate which is unprotected (i. e. it has no passphrase). For security reasons, it has only a very limited lifetime (12 hours by default). If you run longer jobs (which would be aborted if their proxy certificate expired in the meantime), you can use a so-called MyProxy server to supply automatically renewed proxy certificates for your jobs.
VOMS proxies denote your identity, but they can contain additional information about your VO membership. VOMS proxies are needed for the gLite 3 middleware (local and remote).
Create a VOMS proxy with voms-proxy-init, possibly together with the --voms option. You will be asked for the passphrase of your certificate.
voms-proxy-init --voms ilcNote: if this works depends on the version of openssl you used to create the userkey.pem. Tested: OpenSSL 0.9.8e works fine, keys generated with OpenSSL 1.0.0 cause problems due to newer encryption algorithms (as of March 2012).
You can inspect the contents of the proxy (including the remaining lifetime) with voms-proxy-info. Use the option --all to display the VOMS extension of the proxy as well.
The proxy can be deleted with voms-proxy-destroy, or simply by removing the proxy file.
You will need a valid proxy certificate for any operation which accesses a Grid resource!
Renewing Your Certificate After One Year
- Make sure your certificate is installed in your browser.
Go to the GridKa-CA website and click on “Personal Certificates > Renewal”. Fill in the form and follow the instructions under “Help”.
- After that, the procedure will be the same as with your first certificate.
- If your certificate has already expired, you’ll have to get a completely new certificate – see above.
Other Usages of Your Certificate
You can use your certificate not only for Grid computing, but also for digital signatures and encryption of e-mail. Note however that other people must have the GridKa-CA Root Certificate installed in order to trust your certificate. (Certificates of many commercial top-level CAs are already included in most browsers and mail clients, but those of scientific services are usually not available by default.)