Using the Grid/Browser certificates

From BiGGrid Wiki
Revision as of 12:26, 28 June 2011 by Machiel.Jansen (talk | contribs) (Created page with "{{Todo}} == Browser installed certificate == For some Grid-services, like registering for a Virtual Organization (VO), you will need to install your Grid Certificate...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
This page has been marked as Todo, which means it needs serious work.
Please feel free to add to this page. Contribute help

Browser installed certificate

For some Grid-services, like registering for a Virtual Organization (VO), you will need to install your Grid Certificate in your browser. This enable you to authenticate yourself when visiting certain services with your browser.

This page explains how to do this.

Using JGridstart

The easiest way to perform this is by making us of JGridstart. You can skip the rest of these steps.

Manual steps

You can import a certificate in your browser when it is in the correct format: PKCS12. You will need to have your certificate public and private key: usercert.pem and userkey.pem. The key file has been generated by the during your application; the cert file is your certificate, which got mailed to you afterwards, and which you can retrieve from the web pages at any time.

Using openssl tools you can convert these files into the pkcs12 format.

Locate and convert

If you've installed these on the user interface you can find these in the . globus directory.

You can convert your certificate to a internet browser-readable PKCS#12 structure with the following openssl command: 

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out browsercert.p12

See also Browser export

You will have to type three passphrases:

  1. to decrypt your private key that is stored in the PEM file
  2. to re-encrypt your private data in the PKCS#12 file (export password)
  3. and again the same export password to make sure you did not make any typing mistakes

Note that you may have to copy this file to a place where you can see it from your browser.

File:Pkcs12export.gif

Import in Firefox =

Open your browser window. If you are using Firefox on Windows, go to the "Extra" menu and select "Options". On Unix, go to the "Edit" menu and select "Preferences".

File:Firefox-tools-options.gif

In the Options dialog, select the "Advanced" section, and the "Encryption"tab. Then click on the "View Certificates" button.

File:Firefox-options-advanced.gif

In the Certificate Manager, which now opens in a new window, select the "Your certificates" tab. Now you can click on the "Import" button to import your key and certificate in PKCS#12 format into your browser. If you use the certificate manager for the first time, you will have to initialise this "software security device" by providing a strong passphrase (twice, to prevent typo's). A quality meter will show you how good the passphrase actually is. Never leave this password empty.

File:Firefox-certmgr.gif

Internet Explorer

For MS Internet Explorer 5 and higher, also select "Internet Options" from the "tools" menu. In the Internet Options dialog, go to the "Content" tab and click on the Certificates button.

File:Explorer-options-content.gif

In the Certificates window, click on the Import button to start the certificate import wizard.

File:Explorer-certmgr.gif

The wizard will ask you for a filename (you need the Personal Information Exchange format, with the pfx or p12 extensions). Select the file and click "Next" to give the decryption passprase for your PKCS#12 file (which you entered in step 2).

Important: you must check the "Enable strong private key protection" box, or everyone who happens to sneak behind your PC can use the grid under your name without even having to guess a password. If you leave the box unchecked, you have severely compromised your credential.

You may mark the key as exportable. Enable strong private key protection.

File:Explorer-import-strongprot.gif

The certificate should but put in the "Personal" certificate store, but usually the import wizard will make the correct decision. Just click "Next" to continue, and then "Finish" to complete the process.


Opera 9.5 on OSX

You can convert your certificate to a Opera-readable PKCS#12 structure (with Des encryption) with the following openssl command: 

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -descert -out browsercert.p12

(The difference with the above methods for firefox and explorer is the option '-descert', which generates a DES encrypted certificate).

You will have to type three passphrases:

  1. to decrypt your private key that is stored in the PEM file
  2. to re-encrypt your private data in the PKCS#12 file (export password)
  3. and again the same export password to make sure you did not make any typing mistakes

Note that you may have to copy this file to a place where you can see it from your browser. Now do the following:

  1. Start Opera
  2. Go to the Tools menu and select "Preferences -> security -> manage certificates"
  3. Choose the Personal tab
  4. Click on Import to start the Import wizard and follow the instructions. The certificate should go into the "Personal certificate store.
Retrieved from "https://wiki.nikhef.nl/biggrid/index.php?title=Using_the_Grid/Browser_certificates&oldid=172"