February 7 2013
APACGrid CA has been discontinued. Please apply for an ASGCCA certificate instead.
Your APAC Grid User certificate must be renewed each year because they are only valid for 12 months. You should renew your certificate at least two weeks before your current grid certificate expiry date because it sometimes takes a few days to process your renewal request.
usercert.pem
file in your ~/.globus directory.usercert.pem
To: <lucien@unimelb.edu.au> From: <camanager@arcs.org.au> Subject: PKI Information for Certificate 3523 Date: Tue, 24 Jul 2012 12:12:34 +1000 Dear Lucien Boland, Your requested certificate is now ready. If you used the GRIX tool to generate that request, you can now use it again to retrieve the certificate and export it into your browser. Ref: http://www.arcs.org.au/GridGrix Otherwise you can retrieve it as shown at: https://ca.apac.edu.au/cgi-bin/pub/pki?cmd=viewCert;&dataType=VALID_CERTIFICATE&key=3523 And you can insert it into your browser thus: http://wiki.arcs.org.au/bin/view/Main/InstallCertificate You will almost certainly need to also import the CA certificate from the CA server: http://ca.apac.edu.au/pub/cacert/cacert.crt Please keep at least one safe backup of your private key and remember your pass phrase! Sincerely Yours, APACGrid Security Staff.
If you lost your usercert.pem and your userkey.pem but you still have your usercert.p12 (or can export it from a browser in which you have it loaded), then you can recreate the .pem versions using the command below
openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem Enter Import Password: ********* MAC verified OK Enter PEM pass phrase: ********* Verifying - Enter PEM pass phrase: *********
openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem Enter Import Password: ********* MAC verified OK
Your private key (userkey.pem) needs to be matched with your certificate (usercert.pem) to allow you access to request proxies. When you renew your certificate, sometimes an old key may be still in your .globus directory (same goes with an old cert). To verify that your key and certificate go together
openssl x509 -noout -modulus -in ~/.globus/usercert.pem | openssl md5 28c79813aefd42f8ca5c0efd76fdf889
openssl rsa -noout -modulus -in ~/.globus/userkey.pem | openssl md5 Enter pass phrase for /home/scrosby/.globus/userkey.pem: ***** 28c79813aefd42f8ca5c0efd76fdf889
openssl req -noout -modulus -in ~/.globus/usercert_request.pem | openssl md5 28c79813aefd42f8ca5c0efd76fdf889
If the output is the same, the key and the cert are matched. If they are different, they don't belong together