Personal certificates

Access to computing grid resources requires a IGTF client certificate.

The HARICA portal allows people working in higher education and research to obtain such a certificate.

• If you have an email address in a domain affiliated with the CNRS (as cnrs.fr, in2p3.fr, etc.), log in using the “Academic Login” option, then select the institution “CNRS - Units staff”. Next, follow the steps to request an “IGTF Client Auth” certificate.

• If you do not have an email address in a CNRS-affiliated domain, contact your supervising organization to find out the name of the institution to use for the authentication phase. Next, follow the steps to request an “IGTF Client Auth” certificate.

Convert a certificate

Conversion from PKCS12 to PEM

To get the private key in the file ~user/.globus/userkey.pem:

% openssl pkcs12 -nocerts -in cert.p12 -out ~user/.globus/userkey.pem

To get the certificate in the file ~user/.globus/usercert.pem:

% openssl pkcs12 -clcerts  -nokeys -in cert.p12 -out ~user/.globus/usercert.pem

Note

By convention, when authenticating to a computing grid, the command that generates the grid certificate looks for the private key in the ~user/.globus/ directory.

Check (and change) file modes:

% chmod 0600 userkey.pem

% chmod 0644 usercert.pem

Use te openssl command to read the content of a certificate:

% openssl x509 -text -noout -in usercert.pem

Conversion from PEM to PKCS12

If the certificate can be found in usercert.pem and if the private key can be found in userkey.pem, it is possible to generate a PKCS13 file named certif.p12 from these two files using the following command:

% openssl pkcs12 -export -out certif.p12 -inkey userkey.pem -in usercert.pem