February 7 2013

APACGrid CA has been discontinued. Please apply for an ASGCCA certificate instead.

APAC Grid User Certificate Renewal

Your APAC Grid User certificate must be renewed each year because they are only valid for 12 months. You should renew your certificate at least two weeks before your current grid certificate expiry date because it sometimes takes a few days to process your renewal request.


  • Your usercert.pem file in your ~/.globus directory.
    • There will also be other files there but the critical one for renewal is usercert.pem

Renewal Procedure

    • you might need to find where you downloaded the grix.jnlp file and launch it from the Downloads folder.
    • grix.jnlp is a java webstart application and it will launch java before downloading the application and running it.
  1. Once you've agreed to the various access requests from “” you should be able to select the certificate tab in the Grix application.
  2. All your details should have been acquired from the old usercert.pem file otherwise use this image as a template for your own details:
  3. Click the Renew button to take you to the certificate request generation screen.
    1. :!: :-x Make sure you take note of the passphrase you will need it in a week's time when you receive your renewed certificate, this cannot be recovered by anyone :!::
  4. Click the Request button to generate the certificate renewal request:
  5. Click OK to take you to the upload dialogue box:
  6. Click OK to upload your request and then you should see the following success dialogue box:
  7. Click OK to take you back to grix Certifiacte tab.
  8. Email to inform us that you have submitted a renewal request an arrange to show us your photo ID.
  9. We will then approve your request and the CA admins can then sign your certificate.
  10. You will then get an email much like this one:
    To: <>
    From: <>
    Subject: PKI Information for Certificate 3523
    Date: Tue, 24 Jul 2012 12:12:34 +1000
    Dear Lucien Boland,
    Your requested certificate is now ready. If you used the GRIX
    tool to generate that request, you can now use it again to
    retrieve the certificate and export it into your browser.
    Otherwise you can retrieve it as shown at:;&dataType=VALID_CERTIFICATE&key=3523
    And you can insert it into your browser thus:
    You will almost certainly need to also import the CA certificate 
    from the CA server:
    Please keep at least one safe backup of your private
    key and remember your pass phrase!
    				Sincerely Yours, 
    				APACGrid Security Staff.
  11. You can retrieve your certificate running Grix from the same computer you generated the request from, selecting the certificate tab and clicking the Retrieve button:
  12. You should get the dialogue boxing indicating that you successfully downloaded your certificate:
  13. You are then prompted to move the new certificate into place:


Convert PKCS12 (.p12) certificate to PEM format

If you lost your usercert.pem and your userkey.pem but you still have your usercert.p12 (or can export it from a browser in which you have it loaded), then you can recreate the .pem versions using the command below

  • From within the same directory as your usercert.p12 file run the following conversion commands:
    • Extract the key component only (you must provide a passphrase):
      openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem
      Enter Import Password: *********
      MAC verified OK
      Enter PEM pass phrase: *********
      Verifying - Enter PEM pass phrase: *********
    • Extract the certificate component only:
      openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem
      Enter Import Password: *********
      MAC verified OK

Verify that the private key matches the certificate

Your private key (userkey.pem) needs to be matched with your certificate (usercert.pem) to allow you access to request proxies. When you renew your certificate, sometimes an old key may be still in your .globus directory (same goes with an old cert). To verify that your key and certificate go together

  • Find hash of your certificate
    openssl x509 -noout -modulus -in ~/.globus/usercert.pem | openssl md5
  • Find hash of your private key
    openssl rsa -noout -modulus -in ~/.globus/userkey.pem | openssl md5
    Enter pass phrase for /home/scrosby/.globus/userkey.pem: *****
  • Find hash of your certificate request
    openssl req -noout -modulus -in ~/.globus/usercert_request.pem | openssl md5

If the output is the same, the key and the cert are matched. If they are different, they don't belong together

Export your old certificate from your browser

Chrome for Mac OS X (or simply Mac OS X)

  • Type in the following URL: chrome://chrome/settings/ or press cmd-, to bring up the chrome preferences:
  • Click on “Show advanced settings…”
  • Click on the “Manage certificates…” button
  • This should launch the “Keychain Access” application from which you should be able to find your grid certificate (probably in the “login” keychain and in the “My Certificates” catagory):
  • Right click on the grid certificate and choose Export
certificates/apac_renewal.txt · Last modified: 2013/02/07 16:21 by lucien
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki