Grid User Certificates¶

News¶

User certificates for grid usage are now available from HARICA CA

Overview¶

A grid user certificate is used similar like a passport to authenticate and authorize oneself when logging into services in the WLCG computing grid. Technically, a grid user certificate consists of two parts: for one the actual public certificate, that can be presented to computing services somewhere in the world, and additionally a sensitive secret key, that has to be kept private and secured with a password. Only the owner of the private key (plus password) can validate the public certificate and such proof to be the rightful owner of the public certificate.Thus it is critically necessary to keep the key secure with a good password and not to loose the file as it is the only way to proof one's identity.

For simplicity and easier handling, the public certificate and the secret key are bundled in a combined file, so that this combined certificate file can be securely stored on a users machine.

An application can then be set up to use this certificate+key file for authentication or authorization at a service somewhere in the computing grid. The application will send the public certificate to such a grid service and the grid service will check if it knows and trust the alledged owner of the public certificate. The grid service will then ask for a cryptograhical proof, which only the rightful owner of the public certificate can generate with the corresponding secret key in their possession.

General steps in the process to gain a grid user certificate¶

The process to get a grid user certificate consists broadly of the following steps, which will be explained later in detail

• go to the HARICA Certificate Authority (CA)
• login through the DESY IDP
• request a grid user certificate
• you have to enter a good password to secure the certificate+key
• the grid user certificate and the corresponding key are generated in your browser
• the certificate is send from your browser to the HARICA CA, which signs the certificate
• the secret key file is kept locally in your browser
• when the certiticate is successful processed by the HARICA CA, the combined file containing both, the certificate and the secret key, has to be downloaded to your local machine

Detailed Walkthrough¶

LogIn¶

• use a browser to go to https://cm.harica.gr/
• there are two log in options - choose the second one with the button reading "Academic Login"
• on the following page, search for "DESY" in the "Find Your Institution" search field and click on link pointing to the DESY IDP
  • you will be redirected to the DESY IDP
  • on the DESY IDP web page, log in with your DESY username and password, followed by your DESY 2FA code
  • after you successful authorized yourself with the DESY IDP, you will be redirected to the HARICA CA webpage with a dashboard of all certificates, you received from HARICA

Requesting a new grid user certificate¶

After successful login, you can generate a new grid user certificate from your dashboard at HARICA

• select "IGTF Client Auth" in the left side menu field of the dashboard

Certificate Type Selection¶

• you will be presented a selection of different certificate types, choose "GEANT Personal Authentication" and follow "next" to the next step

Name Data Validation¶

• in the next step, please review if the automatically set data with your name and DESY username are correct. If the data are correct, please check the checkbox beneath and submit the request

Actual Certificate Generation¶

• in the following step, a new certificate is generated in your browser. To do so, click the field at the top "Generate Certificate"
• choose in the central menu as algorithm "RSA" and as key size "4096"
• enter a password, that is not in use anywhere else and has sufficient entropy
  • the password is only known to you
  • if you forget or loose the password there is no way to retrieve or recover it
• after repeating the password for confirmation, confirm by validating the checkbox that you are aware, that if you loose the password it cannot be recovered.
• after clicking "Enroll Certificate" it might take some time for the certificate to be generated and send to HARICA for signing
• please have a bit patience

Certificate Download¶

• after the certificate was successful generated and signed, you can download the file containing certificate and secret key in the following step.
• the file can only be downloaded in this step, please download the certificate immedietely
• save the certificate and keep it secure
• if you loose the certificate file, it cannot be retrieved by other means
• the file will be the .p12 type and have a the name like usercert.p12

---¶

Certificate usage¶

After successful generating a new grid user certificate, you can use it in different applications.

Depending on the application, it might be necessary to convert the .p12 file (as combination of the actual certificate plus the corresponding secret key) into another format.

Conversion into the .pem format¶

.pem is a wide-spread format, where the certificate and the secret key are kept in two different files. To convert the combined .p12 file into two .pem files, one for the certificate and one for the secret key, you need the openssl prorgam (available on most linux machines like workgroup servers)

Extraction of the certificate into the pem file format¶

To create a new file called usercert.pem from a input file called usercert.p12 run

    > openssl pkcs12 -clcerts -nokeys  -in usercert.p12 -out usercert.pem

Extract the key into the pem file format¶

Similarly, to extract the secret key from a file usercert.p12 into a dedicated file userkey.pem, use

 > openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem

enter your password, as it is necessary to unlock the usercert.p12 and then to secure the secret key in userkey.pem