Applying for a CERN grid user certificate

Since Australia's grid CA is starting to charge us $100 per certificate per year over a certain number of certificates, we are requesting those CoEPP who have visited CERN (and verified their ID at the CERN user's office) to change from using their Australian QuoVadis certificates to the CERN CA grid user certificates. We apologies for this minor inconvenience and are happy to assist if the instructions are unclear. The process for doing so is provided below.

Check eligibility

  1. click the “Check account eligibility for Grid user certificate” link
    • you may asked to login to your cern account if you aren't already logged in
  2. Your cern user name should be prep-populated into the “login” box
  3. Click the “CHECK” button
  4. Hopefully you are informed that you can request a certificate

Request and download a CERN "New Grid User Certificate"

Instructions for the firefox browser on MacOS can be found by clicking the link below, other browsers are similar in principal but slightly different (you should be able to work your way through it but come and see Sean or Lucien if you experience any difficulaties):

Convert your PKCS12 certificate into PEM key and PEM cert files

  1. In a terminal window navigate to your “Downloads” folder (or to wherever you saved your certificate in the section above) and ensure your new certificate is there.
    bash$ cd ~/Downloads
    bash$ ls -l usercert.p12
    -rw-r--r--@ 1 lucien  staff  8248 16 Sep 15:43 usercert.p12
  2. convert/export your private key file making sure you use a secure password (you can repeat the password you entered when exporting it from your browser) In the example below I repeated my secure password three times, once to “unlock” the p12 file, once the set the new password and once to verify the new password:
    bash$ openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem
    Enter Import Password:
    MAC verified OK
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
  3. convert/export your certificate file, note that this new file does not need a password added since it isn't a private component, however the command does require you to enter your secure password that you used to export the pkcs12 file from your browser:
    bash$ openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem
    Enter Import Password:
    MAC verified OK
  4. you should now have the two files needed for your grid access:
    bash$ ls -l user*
    -rw-r--r--@ 1 lucien  staff   8248 16 Sep 15:43 usercert.p12
    -rw-r--r--  1 lucien  staff   3338 19 Sep 09:38 usercert.pem
    -rw-r--r--  1 lucien  staff   1875 19 Sep 09:33 userkey.pem
  5. you can now copy these onto the UI into your ~/.globus directory and use them for the step below to add to your ATLAS VOMS account.

Register your new certificate with your ATLAS VOMS account

  1. Visit (with your old certificate loaded into your browser you should automatically log into your ATLAS VOMS user account)
  2. In the “Certificates” section, click on “Add an additional certificate”
  3. On this page, click on the “Choose File” button in the “Certificate File” section. Use the selection dialog box to find your “usercert.pem” file created in the previous section. This will correctly recover your certificates DN (distinguished name) for the request.
  4. leaving the “Or enter a Subject, CA couple” section blank, click on the “Request certificate”
  5. In a day or so this will be approved by an ATLAS VOMS admin and your new certificate will be ready to use.
grid/cern_certificates.txt · Last modified: 2016/09/22 12:39 by lucien
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki