Tags:
create new tag
view all tags

Converting a PKCS#12 certificate (from your browser) to PEM format:

  • Save the key/certificate from your browser into a file (I'll use the name mycert.p12 here). You will be asked for a passphrase when the new file is created, since the private key part should always be secured via encryption. Usually browsers save this file in the PKCS#12 format and the file contains both the certificate and the matching private key.

For the following steps you need to have the openssl utility available. This is on all current Linux installations a standard.

  • Extract the user certificate from the PKCS#12 file into the file usercert.pem (you will need to enter your passphrase):
$> openssl pkcs12 -clcerts -nokeys -out usercert.pem -in mycert.p12 

  • Extract the user private key from the key/cert file into userkey.pem (you will need to enter your passphrase again. Since the key now gets stored in a new format, but still should remain protected, you are asked for yet another passphrase for that file. I always use the same passphrase for all these steps):
$> openssl pkcs12 -nocerts -out userkey.pem -in mycert.p12 

  • Make sure that the key file can only be read by you!!!!!! The certificate file must be readable by all, but writable only by you:
$> chmod og-rw userkey.pem
$> chmod og-w usercert.pem

  • copy both files into the ~/.globus/ directory onto your user interface machine (e.g. onto lxplus or our UI at CSCS, if you have access to it). Make sure that both files have the correct permissions!!!
$> ls -l ~/.globus/usercert.pem ~/.globus/userkey.pem
-rw-r--r--    1 myuser   grp     1700 Jul 31  2006 /home/myuser/.globus/usercert.pem
-rw-------    1 myuser   grp     1750 Jul 31  2006 /home/myuser/.globus/userkey.pem

Test the certificate:

You should be able to create a grid proxy from these files once they are at their correct position with the appropriate permissions by typing:

$> voms-proxy-init

If it fails, use the debug flag to this command to obtain more information:

$> voms-proxy-init -debug

-- DerekFeichtinger - 03 May 2007

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2008-07-17 - DerekFeichtinger
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback