eScience Registration Authority

Birmingham Particle-Physics eScience Registration Authority

We can handle local requests for e-Science digital certificates, which covers personal certificates and server certificates. (This is not to be confused with the Janet Certificate Service, which can provide certificates for servers outside e-Science).

You can apply for an e-Science digital certificate and use our Registration Authority as your selected RA if all the following are true:

  • you are eligible for an e-Science digital certificate under their terms: see their web site. In brief, you need to be involved in an e-Science-related project.

  • you have been informed that you need a digital certificate issued by UK e-Science Certification Authority. This authority is a member of EuGrid and IGTF.

  • you are a current member of the University of Birmingham with a valid university photo ID card,

  • you are currently in Birmingham and can attend a short face-to-face meeting, bringing your ID card.

If one or more of the above requirements is not true, then you should consider applying instead to another authority: for example, the CERN Certification Authority if you are at CERN.

Please note that getting a digital certificate does not itself entitle you do anything, on its own. So do not request one unless you have been told you need one. A digital certificate merely establishes your authentication or identity: authorisation to use any particular facility is a separate step. Facilities outside the e-Science community are unlikely to accept certificates issued by the e-Science certification authorities as they are not (currently) in the well-known root authorities lists.

Tips for Personal digital certificates

  1. Use an eScience-supported browser, like Firefox. If you have not done so already, you should set a browser Master Password for the Software Security Device. This is the browser's way of keeping your certificate and possibly other unrelated information more secure in its own internal files (in your $HOME/.mozilla filespace). You will need the browser Master Password subsequently at most once per day, maybe less often, when the browser requests it, so make it memorable. In Firefox use Edit > Preferences > Advanced > Security > and tick Use a master password. If it's already ticked, then leave it as it is.

  2. Get the UK e-Science Certification Authority's own certificates into your browser using:
    Get eScience Root certificate and then
    Get eScience 2 certificate for certificates before 2011-10-01, or
    Get eScience 2B certificate for certificates after 2011-10-01.
    The browser should ask you to confirm you trust these certificates. Tick all the Trust boxes you are asked about.

  3. Then Apply for or Renew a certificate. Select Request a Certificate or Renew a Valid Certificate as appropriate. Choose User Certificate on the next page. Fill in the fields for
    • full name: if you have multiple surnames then make the surnames the same as on the ID you will use,
    • email address: use one that will remain valid throughout the life of this certificate,
    • Registration Authority: if you are in Birmingham, you can choose Birmingham Particle Physics as the Registration Authority (RA). If you are elsewhere in the UK, then choose an appropriate one. Whereever you choose, you will need to present an ID to that RA to prove who you are, in a form that is recognised by that RA, such as a local ID card.
    • the PIN you choose is just to prove to the RA when you visit him that you are the person who filled in this form, so keep it simple!
    • and then click Continue.
    • Leave the certificate strength as High Grade, and click Continue.
    • If this is the first time you've used this browser to keep personal data, then you will now be prompted to provide a browser Master Password for the Software Security Device. This is the browser's way of keeping your certificate and possibly other unrelated information more secure in its own internal files (in your $HOME/.mozilla filespace). You will need the browser Master Password subsequently at most once per day, maybe much less often, when the browser requests it, so make it memorable.
    • If on the other hand, you've used a browser Master Password before, then the browser will instead simply ask you to give the one you've previously set-up.

    • Making an application does several things: it generates a key which is kept inside your browser, and it causes emails to be sent to yourself and to the Registration Authority (RA) personnel.

    • Your certificate request will need to be Approved by the RA. For Birmingham PP this is Lawrence Lowe or Peter Faulkner. For a new certificate you will need to visit Lawrence Lowe in person. Bring your photo ID with you: preferably your university ID card. If the photo on the ID card is not clear, you should bring your passport or driving licence as well. That will then be photocopied onto the middle of an A4 sheet of paper. This ID record will then be kept for as long as you have a current (unexpired) certificate, plus 3 years after that.

    • For our location, see this travel page.

  4. When you receive a new email from the UK-eScience-CA grid-support, telling you your signed certificate is ready to download, use the link in that email in your normal browser (whichever you used to apply for the certificate) to load your signed certificate from the CA web-site. Note that when you do the import, the browser does not necessarily inform you that it's done, though nowadays for a new certificate you should get the alert "Your personal certificate has been installed. You should keep a backup copy of this certificate."

  5. In the future you may also receive such an email unsolicited some weeks before your existing certificate expires, because expiring certificates for UK eScience may sometime in the future be replaced by simply rekeying your public certificate rather than by going through the approval process again. As above, follow the provided link in the email, and then proceed as below.

  6. Check your browser certificate works at the Grid-Support Test Certificate web page. If this says (amongst other things) Client Authentication: SUCCESS then all is well. If you get a Alert error message (for example, "host has received an incorrect or unexpected message") then your certificate is not (yet) correctly installed.

  7. You can see how the certificate exists in the browser, as follows:
    • in Mozilla, use Edit > Preferences > Privacy and Security > Certificates > Manage Certificates.
    • in Firefox 1.0, use Edit > Preferences > Advanced > Certificates > Manage Certificates.
    • in Firefox 1.5, use Edit > Preferences > Advanced > Security > View Certificates.
    • in Firefox 2 - 9 onwards, use Edit > Preferences > Advanced > Encryption > View Certificates.
    Then choose User Certificates and a list of the current and expired user certificates that this browser knows about should be displayed.

  8. Export (back-up) that certificate in P12 format to a disk file in a directory on permanent disk. So choose the user certificate you want and do the export/backup. Remember the password you use to protect that P12 file. You will subsequently type in this P12 password perhaps twice per year.

  9. If you are a Grid user, you will have to convert that exported certificate to PEM format. For PP group users, there is a command script to make this easy, documented on this internal web page and here too. For others, here's that userP12toPEM command. Alternatively see grid-support documentation somewhere on this Grid Support web site.

L.S.Lowe