Certificate installation - PADME-Experiment/padme-fw GitHub Wiki

Installing your certificate for Grid access

A new certificate is usually stored in a PKCS 12 (.p12) file.

If you obtained your certificate through a web-based procedure, it may have been either saved in PKCS 12 format (.p12) to your default Download directory on your local node or stored inside the browser you used for the operation. In the second case, it must be exported to a PKCS 12 (.p12) file. The procedure for this varies with the browser in use:

from Firefox:

Preferences β†’ Privacy & Security β†’ View Certificates β†’ Your Certificates β†’ (Select your personal certificate) β†’ Backup

from Chrome:

Preferences β†’ Privacy and Security β†’ Security β†’ Manage device certificates β†’ (Select your personal certificate) β†’ Export

During the export procedure you will be asked to provide a password to protect the generated file.

Once you have obtained the .p12 file, you can copy it to the machine where you want to use it. For this you may want to use, e.g., scp, WinSCP, ...

On the destination node, the certificate file must be converted to .pem format and installed to the ~/.globus directory inside your home directory. If the ~/.globus directory does not exist you must create it.

You can now use OpenSSL to convert your certificate and its private key to .pem format. In the process you will be asked for the password that you assigned to the .p12 file, and you will have to provide a β€œPEM pass phrase” to protect your private key. You will need to enter this same pass phrase everytime you run voms-proxy-init or similar commands, so don’t forget it.

The newly created usercert.pem and userkey.pem files must have access permission 600 and 400 respectively.

Assuming that the .p12 certificate file is located in your home directory and is called certs.p12, the commands to convert it to .pem and install it to ~/.globus are:

$ cd $HOME
$ mkdir .globus
$ cd .globus
$ openssl pkcs12 -clcerts -nokeys  -in $HOME/certs.p12 -out usercert.pem
$ openssl pkcs12          -nocerts -in $HOME/certs.p12 -out userkey.pem
$ chmod 600 usercert.pem
$ chmod 400 userkey.pem

Your certificate is now ready.