Difference between revisions of "Getting a Grid Certificate"

From GlueXWiki
Jump to: navigation, search
 
(5 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
* In the Sponsor text box, give the name of the GlueX collaboration contact person for your group.
 
* In the Sponsor text box, give the name of the GlueX collaboration contact person for your group.
 
* You will get a request ID for tracking purposes.
 
* You will get a request ID for tracking purposes.
* Navigate to [http://digicert-grid.com/ the DigiCert CA web site] and install the trusted root certificates for the DigiCert CA.  You can do this in your browser by clicking on the link after "CA Certificate".  You want both the [http://digicert-grid.com/DigiCertGridRootCA.cer DigiCert Grid Root CA] and [http://digicert-grid.com/DigiCertGridRootCA.cer DigiCert Grid CA-1].  Either the "pem" (unix style) or the "der" (windows style) links should be recognized by your browser, but you only need one of them, not both. When prompted, click "Accept". You don't need anything except the CA Certificates for the DigiCert-Grid Grid-Only Trust CAs.
+
* Navigate to [http://ca.cilogon.org/ the CILogon CA web site] and install the trusted root certificate for the CILogon CA.  You can do this in your browser by clicking on the Download link on the home page, and then scrolling down to the section labeled CILogon OSG CA.  You want to download either the self-signed PEM-formatted CA certificate or self-signed DER-formatted CA certificate.  Either the "pem" (unix style) or the "der" (windows style) links should be recognized by your browser, but you only need one of them, not both. Right-click on either link and download the file to your browser download area. Then go to the "HTTPS/SSL Certificates" section under your browser settings, and import the file you just downloaded into your browser. You should approve it as a certificate authority for authenticating web sites and users (like yourself) whose certificates are signed by the CILogon ca.
 
* You should receive an email back from OSG-PKI within three working days informing you that your certificate is ready, and giving instructions for how to retrieve it.
 
* You should receive an email back from OSG-PKI within three working days informing you that your certificate is ready, and giving instructions for how to retrieve it.
* Install the new certificate into your favorite browser(s).  It should be easy to figure out how to do this, and if not, plenty of help on this topic is available on the web for your particular browser.
+
* Install the new certificate into your favorite browser(s).  It should be easy to figure out how to do this, and if not, plenty of help on this topic is available on the web for your particular browser.  You may look [https://www.racf.bnl.gov/docs/howto/grid/osx-doegrids-safari here for guidance on how to install certificates into Safari].  
 
* Navigate to [https://gryphn.phys.uconn.edu:8443/voms/Gluex the Gluex VOMS web service] and fill out the form to register as a new Gluex user.
 
* Navigate to [https://gryphn.phys.uconn.edu:8443/voms/Gluex the Gluex VOMS web service] and fill out the form to register as a new Gluex user.
 
* Within one working day, the Gluex VOMS admin should respond to your request and grant you membership.
 
* Within one working day, the Gluex VOMS admin should respond to your request and grant you membership.
 
* Verify that your new certificate is fully authorized on the OSG as a member of the Gluex VO by trying the following command in the unix shell where you installed your certificate.  You will be prompted to enter the password that you specified when you created the certificate.
 
* Verify that your new certificate is fully authorized on the OSG as a member of the Gluex VO by trying the following command in the unix shell where you installed your certificate.  You will be prompted to enter the password that you specified when you created the certificate.
 
<pre>
 
<pre>
voms-proxy-init -dont-verify-ac -voms Gluex:/Gluex
+
voms-proxy-init -voms Gluex:/Gluex
 
</pre>
 
</pre>
 +
The above command may succeed and still print a error message about not being able to verify the AC of the voms server.  If you see that message, don't worry about that right now.  It reflects a small issue with your OSG client configuration.  Instructions for diagnosing and repairing the problem are found on [[Using the Grid]].

Latest revision as of 11:04, 11 May 2017

  • Follow the step-by-step instructions for requesting a certificate at https://oim.grid.iu.edu/oim/certificaterequestuser
  • For your Sponsor select "Gluex" from the pulldown list.
  • In the Sponsor text box, give the name of the GlueX collaboration contact person for your group.
  • You will get a request ID for tracking purposes.
  • Navigate to the CILogon CA web site and install the trusted root certificate for the CILogon CA. You can do this in your browser by clicking on the Download link on the home page, and then scrolling down to the section labeled CILogon OSG CA. You want to download either the self-signed PEM-formatted CA certificate or self-signed DER-formatted CA certificate. Either the "pem" (unix style) or the "der" (windows style) links should be recognized by your browser, but you only need one of them, not both. Right-click on either link and download the file to your browser download area. Then go to the "HTTPS/SSL Certificates" section under your browser settings, and import the file you just downloaded into your browser. You should approve it as a certificate authority for authenticating web sites and users (like yourself) whose certificates are signed by the CILogon ca.
  • You should receive an email back from OSG-PKI within three working days informing you that your certificate is ready, and giving instructions for how to retrieve it.
  • Install the new certificate into your favorite browser(s). It should be easy to figure out how to do this, and if not, plenty of help on this topic is available on the web for your particular browser. You may look here for guidance on how to install certificates into Safari.
  • Navigate to the Gluex VOMS web service and fill out the form to register as a new Gluex user.
  • Within one working day, the Gluex VOMS admin should respond to your request and grant you membership.
  • Verify that your new certificate is fully authorized on the OSG as a member of the Gluex VO by trying the following command in the unix shell where you installed your certificate. You will be prompted to enter the password that you specified when you created the certificate.
voms-proxy-init -voms Gluex:/Gluex

The above command may succeed and still print a error message about not being able to verify the AC of the voms server. If you see that message, don't worry about that right now. It reflects a small issue with your OSG client configuration. Instructions for diagnosing and repairing the problem are found on Using the Grid.