Personal grid certificates

1. Use an eScience-supported browser, like Firefox, and not Chrome, Safari, Konqueror, Internet Explorer, Opera. (See up-to-date list and Safari info). If you have not done so already, you should set a browser Master Password for the Software Security Device. This is the browser's way of keeping your certificate and possibly other unrelated information more secure in its own internal files (in your $HOME/.mozilla filespace). You will need the browser Master Password subsequently at most once per day, maybe less often, when the browser requests it, so make it memorable. In Firefox use Edit > Preferences > Security > and tick Use a master password. If it's already ticked, then leave it as it is.

2. Now get the UK grid Certification Authority's own certificates into your browser using:
   Get eScience Root certificate and then
   Get eScience 2 certificate for certificates before 2011-10-01, or
   Get eScience 2B certificate for certificates after 2011-10-01.
   The browser should ask you to confirm you trust these certificates. Tick all the Trust boxes you are asked about.

3. Then click on Apply for or Renew a certificate. This page has a Certificates tab with a line of useful actions arranged like tabs near the top of that page: Request a Certificate, Renew a Valid Certificate, etc..
   • If you already have a certificate and have received an email with subject Your e-Science Certificate is due to expire and want to renew it, then select Renew a Valid Certificate, or simply follow the link in that email instead.
   • For a new application, select Request a Certificate, and User Certificate on that page, and then fill in the fields for
     • full name: if you have multiple surnames then make the surnames the same as on the ID you will use,
     • email address: use one that will remain valid throughout the life of this certificate,
     • Registration Authority: if you are in Birmingham, you can choose Birmingham Particle Physics as the Registration Authority (RA). If you are elsewhere in the UK, then choose an appropriate one. Whereever you choose, you will need to present an ID to that RA to prove who you are, in a form that is recognised by that RA. A local ID card, or a passport, should be equally acceptable.
     • the PIN you choose is just to prove to the RA when you visit him that you are the person who filled in this form, so keep it simple!
     • and then click Continue.
   • Leave the certificate strength as High Grade, and click Continue.
   • If you've set up a browser Master Password, as recommended (see step 1), then the browser may now ask you to give the one you've previously set-up.
   • Making an application does several things: it generates a key which is kept inside your browser, and it causes emails to be sent to yourself and to the Registration Authority (RA) personnel.

   • Your certificate request will need to be Approved by the RA. For Birmingham PP this is Lawrie Lowe or Peter Faulkner. For a new certificate you will need to visit Lawrie Lowe in person. Bring your photo ID with you: either your university ID card, or your passport. That will be then photocopied onto the middle of an A4 sheet of paper. This ID record will then be kept for as long as you have a current (unexpired) certificate, plus 3 years after that.

4. When you receive a new email from the UK-eScience-CA grid-support, with subject UK eScience CA - New Issued Certificate, telling you your signed certificate is ready to download, use the link in that email in your normal browser (whichever you used to apply for the certificate) to load your signed certificate from the CA web-site. Note that when you do the import, the browser does not necessarily inform you that it's done, though nowadays for a new certificate you should get the alert "Your personal certificate has been installed. You should keep a backup copy of this certificate."

5. In the future you may also receive such an email unsolicited some weeks before your existing certificate expires, because expiring certificates for UK eScience may sometime in the future be replaced by simply rekeying your public certificate rather than by going through the approval process again. As above, follow the provided link in the email, and then proceed as below.

6. Check your browser certificate works at the Grid-Support Test Certificate web page. If this says (amongst other things) Client Authentication: SUCCESS then you have a valid certificate. If you get a Alert error message (for example, "host has received an incorrect or unexpected message") then your certificate is not (yet) correctly installed.

7. You can see how the certificate exists in the browser, as follows:
   • in Mozilla, use Edit > Preferences > Privacy and Security > Certificates > Manage Certificates.
   • in Firefox, use Edit > Preferences > Advanced > Encryption > View Certificates.
   Then choose User Certificates and a list of the current and expired user certificates that this browser knows about should be displayed.

8. Export (back-up) that certificate in P12 format to a disk file in a directory on permanent disk. So choose the user certificate you want and do the export/backup. A reasonable directory to put this backup file into is a $HOME/.globus directory, though this is not obligatory and entirely up to you. Remember the password you use to protect that P12 file. You will subsequently type in this P12 password perhaps twice per year.

9. Use the userP12toPEM command to convert an exported P12 certificate to grid (PEM) format. You will need to provide the above P12 password (twice), and then you will need to provide a passphrase to protect the PEM files. You will subsequently type in this passphrase once a day every day you use the Grid.

10. Note there is also a userPEMtoP12 command, if your browser has lost its certificate but you still have your PEM files in your $HOME/.globus directory.

11. Checking your grid certificate works:

    source lcguisetup;   grid-proxy-init

12. Having established your Authentication in the form of a valid certificate, you will need to establish your Authorisation to use Grid facilities. So make yourself known to your Virtual Organisation (VO). For example, you can register yourself for the first time with the VO for ALICE or ATLAS. This is a two phase process. After Registration Phase I, wait for the email from your VO (up to 24 hours), and then perform Registration Phase II. Wait for the VO confirmation email (up to several days).

    If you've registered with them before, with your previous certificate, then they will know your certificate details (DN) anyway, so there's no need to contact them simply because you've got an updated certificate with a new expiry date. However, the VO may contact you independently anyway, every year, with an email saying Your VO membership will expire. If you are still a valid member of that VO, simply follow the link in that email to renew your membership. It does not matter if the certificate in your browser is old or new for this purpose: so long as it's still valid, either will do. It's a source of confusion that certificate renewal and VO membership renewal often come up at the same time of year, but really they are unrelated events.

13. Checking your grid certificate works with your VO:

    source lcguisetup;   voms-proxy-init   -voms myVO

14. Replicating your $HOME/.globus information to another host (eg at CERN): you can do this very simply, using scp. We'll assume that the information is up-to-date at Birmingham and that there may (or may not) be old certs already on the other host. Just do the following commands when logged on to the system that has not yet got up-to-date information (eg lxplus.cern.ch):

        lxplus$ cd
                mkdir -p .globus
                chmod go-rx .globus
                rename user olduser .globus/user*pem
                scp -p mybhamid@eprexb.ph.bham.ac.uk:.globus/*.pem  .globus/
        

    That does the certificate copy. If you want to test the certificates you've just copied, use grid-proxy-init and voms-proxy-init. If these commands aren't already accessible in your environment, then the equivalent of our source lcguisetup on the lxplus system is this:

        source /afs/cern.ch/project/gd/LCG-share/current/etc/profile.d/grid_env.sh
        

    The above copy method replaces my previous suggestion (which could copy unwanted files in .globus too):

        lxplus$ cd; mv .globus .globus.old    # if it exists already
        lxplus$ scp -pr mybhamid@eprexb.ph.bham.ac.uk:.globus  $HOME
        

15. Other issues, see the Grid Links page.