Setup User Certificate ¶

This manual explains how to get, convert, install, activate and check a user certificate. Carry out the following steps on the computer you like to use with your personal certificate.

Get User Certificate ¶

Get user.p12 certificate from  DFN-PKI,  IHEP CA or  GridKa-CA.

Convert User Certificate from .p12 to .pem ¶

Choose one of the following two possibilities to achieve the same:

Convert Certificate using Script ¶

• Download  p12-2-pem-en.sh (German only alternative:  p12-2-pem.sh)
• mkdir ~/.globus
• cp p12-2-pem-en.sh ~/.globus/
• cp user.p12 ~/.globus/
• cd ~/.globus/
• chmod +x p12-2-pem-en.sh
• ./p12-2-pem-en.sh user.p12

  Waehlen Sie deutsch oder englisch.......(de/en)...[de].>  en
  
  ___________________________ ./p12-2-pem-en.sh ___________________________
  
  --- Converting certificates from .p12 to .pem/ ---
  -e
  
  
  Is it a host or user certificate?..............(h/u).[u] .>u
  Would you like the extension .crt or .pem? ........[pem] .>pem
  
  _______________________________________________________________________
  Inquiry about the browser export password
  
  Please enter the password for the key! ...................>
  Export certificate? ............................(y/n).[n].>y
  MAC verified OK
  Succesfully!  -->  user.pem
  Export private key? ............................(y/n).[n].>y
  
  _______________________________________________________________________
  
  
    Please assign a pem pass phrase of at least 12 characters, so your
    private key is protected effectually.
  
  MAC verified OK
  Enter PEM pass phrase:
  Verifying - Enter PEM pass phrase:
  Successfully  -->   user.key
  
  Export CA-certificate? .........................(y/n).[n].>y
  MAC verified OK
  Successfully  -->   user.ca
  
  The following files where created in the directory /home/Tux/rieger/.globus:
  _______________________________________________________________________
  
   gridka-ca.pem   - The root certificate of your CA
   usercert.pem    - Your  user-certificate
   userkey.pem     - Your private key with 'PEM pass phrase'
  
  _______________________________________________________________________
  
  
    In the next step the orderly rights will be set
    on Your files as follow:
  
  -r--r--r-- 1 rieger ari 2082 2011-08-12 14:10 usercert.pem
  -r-------- 1 rieger ari 1914 2011-08-12 14:10 userkey.pem
  -r--r--r-- 1 rieger ari 1766 2011-08-12 14:10 gridka-ca.pem
  _______________________________________________________________________
  
  
    Now the certificates can be shown one by one.
    (Abort with Strg + c )
  
  Show user/host certificate? ....................(y/n).[n].>n
  
  Show private key? ..........................(y/n).[n].>n
  
  Show CA-certificate? .......................(y/n).[n].>n
  ________________________________ENDE___________________________________
  
  

Convert Certificates without Script ¶

• mkdir ~/.globus
• cp user.p12 ~/.globus/
• cd ~/.globus/
• openssl pkcs12 -in user.p12 -clcerts -nokeys -out usercert.pem

  Enter Import Password:
  MAC verified OK
  

• chmod 644 usercert.pem
• openssl pkcs12 -in user.p12 -nocerts -out userkey.pem

  Enter Import Password:
  MAC verified OK
  Enter PEM pass phrase:
  Verifying - Enter PEM pass phrase:
  

• chmod 400 userkey.pem

Activate User Certificate ¶

Choose one of the following two possibilities to achieve the same:

Default ¶

• grid-proxy-init (valid for 12 hours; use grid-proxy-init -valid 96:00 for 4 days)

  Your identity: /C=DE/O=GermanGrid/OU=ZAH/CN=Klaus Rieger
  Enter GRID pass phrase for this identity:
  Creating proxy .......................................... Done
  Your proxy is valid until: Sat Aug 13 00:20:00 2011
  

Troubleshooting ¶

• grid-proxy-init -debug -verify (options for detailed output)

  User Cert File: /home/Tux/rieger/.globus/usercert.pem
  User Key File: /home/Tux/rieger/.globus/userkey.pem
  
  Trusted CA Cert Dir: /usr/local/grid-ca-certificates
  
  Output File: /tmp/x509up_u462
  Your identity: /C=DE/O=GermanGrid/OU=ZAH/CN=Klaus Rieger
  Enter GRID pass phrase for this identity:
  Creating proxy .....++++++++++++
  ............++++++++++++
   Done
  Proxy Verify OK
  Your proxy is valid until: Tue Jan 10 04:06:01 2012
  

Check User Certificate ¶

• gsissh dgsi.zah.uni-heidelberg.de
  • first login only:

    /usr/bin/xauth:  creating new authority file /home/agrid/agrid107/.Xauthority
    

  • exit

• echo "TEST" > test.txt
• globus-url-copy file:/home/Tux/rieger/test.txt gsiftp://dgsi.zah.uni-heidelberg.de/~/test.txt
• gsissh dgsi.zah.uni-heidelberg.de (gsissh -v dgsi.zah.uni-heidelberg.de for additional output, gsissh -p 2222 dgsi.zah.uni-heidelberg.de to specify the port)
  • if not first login:

    Last login: Mon Jan  9 09:34:47 2012 from asterope.ari.uni-heidelberg.de
    

  • ls

    test.txt
    

  • exit

---

Back to Installation of Globus Toolkit 4.0.8 on Scientific Linux 5.5 running virtually within VMware on openSUSE 11.1 (master document)

---