APAC Grid User Certificate Renewal

Your APAC Grid User certificate must be renewed each year because they are only valid for 12 months. You should renew your certificate at least two weeks before your current grid certificate expiry date because it sometimes takes a few days to process your renewal request.

• Your usercert.pem file in your ~/.globus directory.
  • There will also be other files there but the critical one for renewal is usercert.pem

1. Get the Grix Tool and run it: http://grix.arcs.org.au/downloads/webstart/grix.jnlp
   • you might need to find where you downloaded the grix.jnlp file and launch it from the Downloads folder.
   • grix.jnlp is a java webstart application and it will launch java before downloading the application and running it.
2. Once you've agreed to the various access requests from “code.arcs.org.au” you should be able to select the certificate tab in the Grix application.
3. All your details should have been acquired from the old usercert.pem file otherwise use this image as a template for your own details:
4. Click the Renew button to take you to the certificate request generation screen.
   1. Make sure you take note of the passphrase you will need it in a week's time when you receive your renewed certificate, this cannot be recovered by anyone :
5. Click the Request button to generate the certificate renewal request:
6. Click OK to take you to the upload dialogue box:
7. Click OK to upload your request and then you should see the following success dialogue box:
8. Click OK to take you back to grix Certifiacte tab.
9. Email rc@coepp.org.au to inform us that you have submitted a renewal request an arrange to show us your photo ID.
10. We will then approve your request and the CA admins can then sign your certificate.
11. You will then get an email much like this one:

    To: <lucien@unimelb.edu.au>
    From: <camanager@arcs.org.au>
    Subject: PKI Information for Certificate 3523
    Date: Tue, 24 Jul 2012 12:12:34 +1000
    
    
    Dear Lucien Boland,
    
    Your requested certificate is now ready. If you used the GRIX
    tool to generate that request, you can now use it again to
    retrieve the certificate and export it into your browser.
    Ref: http://www.arcs.org.au/GridGrix
    
    Otherwise you can retrieve it as shown at:
    https://ca.apac.edu.au/cgi-bin/pub/pki?cmd=viewCert;&dataType=VALID_CERTIFICATE&key=3523
    
    And you can insert it into your browser thus:
    http://wiki.arcs.org.au/bin/view/Main/InstallCertificate
    
    
    You will almost certainly need to also import the CA certificate 
    from the CA server: http://ca.apac.edu.au/pub/cacert/cacert.crt
    
    Please keep at least one safe backup of your private
    key and remember your pass phrase!
    
    				Sincerely Yours, 
    				APACGrid Security Staff.

12. You can retrieve your certificate running Grix from the same computer you generated the request from, selecting the certificate tab and clicking the Retrieve button:
13. You should get the dialogue boxing indicating that you successfully downloaded your certificate:
14. You are then prompted to move the new certificate into place:

If you lost your usercert.pem and your userkey.pem but you still have your usercert.p12 (or can export it from a browser in which you have it loaded), then you can recreate the .pem versions using the command below

• From within the same directory as your usercert.p12 file run the following conversion commands:
  • Extract the key component only (you must provide a passphrase):

    openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem
    Enter Import Password: *********
    MAC verified OK
    Enter PEM pass phrase: *********
    Verifying - Enter PEM pass phrase: *********

  • Extract the certificate component only:

    openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem
    Enter Import Password: *********
    MAC verified OK

Your private key (userkey.pem) needs to be matched with your certificate (usercert.pem) to allow you access to request proxies. When you renew your certificate, sometimes an old key may be still in your .globus directory (same goes with an old cert). To verify that your key and certificate go together

• Find hash of your certificate

  openssl x509 -noout -modulus -in ~/.globus/usercert.pem | openssl md5
  28c79813aefd42f8ca5c0efd76fdf889

• Find hash of your private key

  openssl rsa -noout -modulus -in ~/.globus/userkey.pem | openssl md5
  Enter pass phrase for /home/scrosby/.globus/userkey.pem: *****
  28c79813aefd42f8ca5c0efd76fdf889

• Find hash of your certificate request

  openssl req -noout -modulus -in ~/.globus/usercert_request.pem | openssl md5
  28c79813aefd42f8ca5c0efd76fdf889

If the output is the same, the key and the cert are matched. If they are different, they don't belong together

• Type in the following URL: chrome://chrome/settings/ or press cmd-, to bring up the chrome preferences:
• Click on “Show advanced settings…”
• Click on the “Manage certificates…” button
• This should launch the “Keychain Access” application from which you should be able to find your grid certificate (probably in the “login” keychain and in the “My Certificates” catagory):
• Right click on the grid certificate and choose Export