<!-- keep this as a security measure: * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup,Main.LCGAdminGroup * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup,Main.LCGAdminGroup #uncomment this if you want the page only be viewable by the internal people * #Set ALLOWTOPICVIEW = Main.TWikiAdminGroup,Main.LCGAdminGroup --> ---+ Converting a PKCS#12 certificate (from your browser) to PEM format: * Save the key/certificate from your browser into a file (I'll use the name =mycert.p12 here=). You will be asked for a passphrase when the new file is created, since the private key part should always be secured via encryption. Usually browsers save this file in the PKCS#12 format and the file contains both the certificate and the matching private key. For the following steps you need to have the *openssl* utility available. This is on all current Linux installations a standard. * Extract the user certificate from the PKCS#12 file into the file usercert.pem (you will need to enter your passphrase): <verbatim> $> openssl pkcs12 -clcerts -nokeys -out usercert.pem -in mycert.p12 </verbatim> * Extract the user private key from the key/cert file into userkey.pem (you will need to enter your passphrase again. Since the key now gets stored in a new format, but still should remain protected, you are asked for yet another passphrase for that file. I always use the same passphrase for all these steps): <verbatim> $> openssl pkcs12 -nocerts -out userkey.pem -in mycert.p12 </verbatim> * Make sure that the key file can only be read by you!!!!!! The certificate file must be readable by all, but writable only by you: <verbatim> $> chmod og-rw userkey.pem $> chmod og-w usercert.pem </verbatim> * copy both files into the =~/.globus/= directory onto your user interface machine (e.g. onto lxplus or our UI at CSCS, if you have access to it). Make sure that both files have the correct permissions!!! <verbatim> $> ls -l ~/.globus/usercert.pem ~/.globus/userkey.pem -rw-r--r-- 1 myuser grp 1700 Jul 31 2006 /home/myuser/.globus/usercert.pem -rw------- 1 myuser grp 1750 Jul 31 2006 /home/myuser/.globus/userkey.pem </verbatim> ---++ Test the certificate: You should be able to create a grid proxy from these files once they are at their correct position with the appropriate permissions by typing: <verbatim> $> voms-proxy-init </verbatim> If it fails, use the debug flag to this command to obtain more information: <verbatim> $> voms-proxy-init -debug </verbatim> -- Main.DerekFeichtinger - 03 May 2007
This topic: LCGTier2
>
WebHome
>
CMSInfoPagesUsers
>
GetKeyCertFromBrowser
Topic revision: r2 - 2008-07-17 - DerekFeichtinger
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback