Getting a Grid Certificate for ATLAS Use

For getting a new certificate or renew a certificate,you can use the CERN CA to request the grid certificate:

https://ca.cern.ch/ca/

or you can also look up the BNL page for more information:

https://www.sdcc.bnl.gov/information/getting-started/grid-users

Remember which machine and browser you use to get the certificate. Once the signed certificate is ready you will need to use the same system to get the certificate downloaded.

UM users should use me (Shawn McKee, 734-764-4395) as the "Sponsor" and follow the instructions here:

New information as of April 19, 2016 ==================

For details on the OSG certificate CA migration, click https://www.racf.bnl.gov/docs/howto/grid/osg-ca-migration

You must now obtain a personal certificate from the CERN CA at https://gridca.cern.ch/ . This will redirect you to a URL where you must login using your CERN account. In my case, I had a valid OSG Certificate, which I validated using my GRID pass phrase, and the certificate was immediately generated and made available for download to my browser (FireFox).

Note: the Chrome browser is not supported by the CERN CA service and may return an error ('Key not valid for use in specified state.'); please use another browser, such as Firefox, to interact with the CERN CA site.

After obtaining the certificate, you should add it to your ATLAS VO Membership https://www.racf.bnl.gov/docs/howto/grid/multicertvo

To export your CERN Certificate out of your browser, see this URL: https://www.racf.bnl.gov/docs/howto/grid/installcert

To generate the key pairs you will need on Linux, see this same URL: https://www.racf.bnl.gov/docs/howto/grid/installcert

Note: it is ALWAYS best to have your most recent certificate presented as your preferred certificate. Given the slowness of propagation of information to the various VOMS servers, we would suggest that you wait one week after getting this certificate, before you make it your primary.

Note: When I did this, there was no way to eliminate the OSG certificate from the export from my browser. However, the usercert and userkey files generated on Linux are ASCII files, and the OSG certificate can easily be deleted from the files using any standard editor.

A one month overlap of your 2 certificates is a preferred situation.

Below this point is old information, and has not currently been verified ==============

https://www.racf.bnl.gov/docs/howto/grid/getcertweb

NOTE If you are using Firefox 4.x, Alan Wilson found a problem documented here: https://ticket.grid.iu.edu/goc/viewer?id=10249&sort=up&expandall=true You may need to fix how your browser responds. See this URL from Mozilla https://wiki.mozilla.org/Security:Renegotiation The following changes worked for Shawn:

• In Firefox v4 type about:config in the browser URL line
• Answer the prompt so you can get to the preferences area
• Find the line with security.ssl.renego_unrestricted_hosts and double-click it to allow you to enter the DOE grids host
• Put in pki1.doegrids.org
• Now you should be able to renew your certificate

Note the you also need to "join" the ATLAS VO and there are links on the above page that show you how to get started.

Once you get a certificate into your browser you can export it. Details are at:

https://hep.pa.msu.edu/twiki/bin/view/AGLT2/SettingUpGRIDCert

Note that if you are installing your certificate and key into AFS you need to be careful. Read this info:

https://hep.pa.msu.edu/twiki/bin/view/AGLT2/SetupSSHKeys#Protecting_SSH_Keys_or_X509_Cert

Contact me (Shawn McKee, smckee@umich.edu) know if you have problems or questions.

-- ShawnMcKee - 20 Apr 2010