What Is a Grid Certificate?

A Grid certificate is something like a digital identity card for the Grid world – with a Grid certificate, you can prove who you are (authentication). It is issued and digitally signed by a so-called Certification Authority (CA), which guarantees that the bearer of the certificate is really you. To get a Grid certificate, you first have to issue a certificate request. The request is then digitally signed by the Certification Authority and thereby becomes a vaild, trusted certificate.

Technically speaking, a Grid certificate is an X.509-style certificate containing of a private and a public key which makes use of RSA encryption. The certificate itself can be made public, but the corresponding private key must be kept secret! There should be exactly one certificate per human being: No user should own more than one certificate, and no certificate should be used by more than one person.

Getting a Grid Certificate

Paperwork at DESY

Electronic certificate request

Final steps (First request and renewal)

Additional Help

This documentation and also a FAQ section can be found at the official DESY Grid Computing web page.

Exporting the Certificate from Your Browser

Certificates in Your Browser – Important Remark

You should make sure that your web browser only sends your certificate if you acknowledge this. (Heise tells you why.) In Firefox you have to set the option “Edit > Preferences > Advanced > Security > Certificates: When a web site requires a certificate:” to “Ask me every time”.

To check your browser settings, visit a web site which requests user identification. You should see a confirmation dialogue before your certificate is sent to the remote host. You’ll see your name on the web page only if you agree to identify yourself with a certificate.

In case you don't have your .p12 certificate anymore you can regenerate it from the key and cert file:

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercert.p12

Becoming a Member of a Virtual Organisation

A Virtual Organisation (VO) is a user group in the Grid world. As a member of a VO, you are granted access to the Grid resources which are available for that VO (authorisation). The membership in a VO is managed by the so-called VOMS service. To become a member of a VO, you have to submit a membership request to the VOMS (or VOMRS) server. An administrator of the VO will then accept or reject the request.

To renew your VO membership go to your VO server. Make sure your certificate is installed in your browser. Follow the link "Member Info" and click on "Re-sign the Grid and VO AUPs". You have to accept the Use Policy, and that should be sufficient.

Creating a Proxy Certificate

A proxy certificate is a “working copy” of your Grid certificate which is unprotected (i. e. it has no passphrase). For security reasons, it has only a very limited lifetime (12 hours by default). If you run longer jobs (which would be aborted if their proxy certificate expired in the meantime), you can use a so-called MyProxy server to supply automatically renewed proxy certificates for your jobs.

VOMS proxies denote your identity, but they can contain additional information about your VO membership. VOMS proxies are needed for the gLite 3 middleware (local and remote).

You will need a valid proxy certificate for any operation which accesses a Grid resource!

Renewing Your Certificate After One Year

Other Usages of Your Certificate

You can use your certificate not only for Grid computing, but also for digital signatures and encryption of e-mail. Note however that other people must have the GridKa-CA Root Certificate installed in order to trust your certificate. (Certificates of many commercial top-level CAs are already included in most browsers and mail clients, but those of scientific services are usually not available by default.)

See Also

GridCertificate (last edited 2013-02-14 14:21:34 by AnnikaVauth)