CoEPP RC
 

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

renewal [2012/08/13 16:37] (current)
admin created
Line 1: Line 1:
 +====== APAC Grid User Certificate Renewal ======
  
 +Your APAC Grid User certificate must be renewed each year because they are only valid for 12 months. You should renew your certificate at least two weeks before your current grid certificate expiry date because it sometimes takes a few days to process your renewal request.
 +
 +
 +===== Prerequisites =====
 +
 +  * Your ''​usercert.pem''​ file in your ~/.globus directory.
 +    * There will also be other files there but the critical one for renewal is ''​usercert.pem''​
 +
 +
 +===== Renewal Procedure =====
 +
 +  - Get the Grix Tool and run it: [[http://​grix.arcs.org.au/​downloads/​webstart/​grix.jnlp]]
 +    * you might need to find where you downloaded the grix.jnlp file and launch it from the Downloads folder.
 +    * grix.jnlp is a java webstart application and it will launch java before downloading the application and running it.
 +  - Once you've agreed to the various access requests from "​code.arcs.org.au"​ you should be able to select the certificate tab in the Grix application.
 +  - All your details should have been acquired from the old usercert.pem file otherwise use this image as a template for your own details: {{ :​public:​grix_renewal.png?​direct&​300 |}}
 +  - Click the **Renew** button to take you to the certificate request generation screen. ​
 +      - :!: :-x Make sure you take note of the **passphrase** you will need it in a week's time when you receive your renewed certificate,​ this cannot be recovered by anyone :!:: {{ :​public:​grix_cert_request.png?​direct&​300 |}}
 +  - Click the **Request** button to generate the certificate renewal request: {{ :​public:​grix_cert_created.png?​direct&​300 |}}
 +  - Click **OK** to take you to the upload dialogue box: {{ :​public:​grix_upload.png?​direct&​300 |}}
 +  - Click **OK** to upload your request and then you should see the following success dialogue box: {{ :​public:​grix_success.png?​direct&​300 |}}
 +  - Click **OK** to take you back to grix Certifiacte tab.
 +  - Email rc@coepp.org.au to inform us that you have submitted a renewal request an arrange to show us your photo ID.
 +  - We will then approve your request and the CA admins can then sign your certificate.
 +  - You will then get an email much like this one:<​file>​
 +To: <​lucien@unimelb.edu.au>​
 +From: <​camanager@arcs.org.au>​
 +Subject: PKI Information for Certificate 3523
 +Date: Tue, 24 Jul 2012 12:12:34 +1000
 +
 +
 +Dear Lucien Boland,
 +
 +Your requested certificate is now ready. If you used the GRIX
 +tool to generate that request, you can now use it again to
 +retrieve the certificate and export it into your browser.
 +Ref: http://​www.arcs.org.au/​GridGrix
 +
 +Otherwise you can retrieve it as shown at:
 +https://​ca.apac.edu.au/​cgi-bin/​pub/​pki?​cmd=viewCert;&​dataType=VALID_CERTIFICATE&​key=3523
 +
 +And you can insert it into your browser thus:
 +http://​wiki.arcs.org.au/​bin/​view/​Main/​InstallCertificate
 +
 +
 +You will almost certainly need to also import the CA certificate ​
 +from the CA server: http://​ca.apac.edu.au/​pub/​cacert/​cacert.crt
 +
 +Please keep at least one safe backup of your private
 +key and remember your pass phrase!
 +
 + Sincerely Yours, ​
 + APACGrid Security Staff.
 +</​file>​
 +  - You can retrieve your certificate running Grix from the same computer you generated the request from, selecting the certificate tab and clicking the **Retrieve** button: {{ :​public:​grix_retrieve.png?​direct&​300 |}}
 +  - You should get the dialogue boxing indicating that you successfully downloaded your certificate:​ {{ :​public:​grix_success_download.png?​direct&​300 |}}
 +  - You are then prompted to move the new certificate into place: {{ :​public:​grix_move_into_place.png?​direct&​300 |}}
 +  - 
 +
 +===== Troubleshooting =====
 +
 +
 +
 +==== Convert PKCS12 (.p12) certificate to PEM format ====
 +
 +If you lost your usercert.pem and your userkey.pem but you still have your usercert.p12 (or can export it from a browser in which you have it loaded), then you can recreate the .pem versions using the command below
 +  * From within the same directory as your usercert.p12 file run the following conversion commands:
 +    * Extract the key component only (**you must provide a passphrase**):<​code>​
 +openssl pkcs12 -nocerts -in usercert.p12 -out userkey.pem
 +Enter Import Password: *********
 +MAC verified OK
 +Enter PEM pass phrase: *********
 +Verifying - Enter PEM pass phrase: *********
 +</​code>​
 +    * Extract the certificate component only:<​code>​
 +openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out usercert.pem
 +Enter Import Password: *********
 +MAC verified OK
 +</​code>​
 +
 +==== Verify that the private key matches the certificate ====
 +
 +Your private key (userkey.pem) needs to be matched with your certificate (usercert.pem) to allow you access to request proxies. When you renew your certificate,​ sometimes an old key may be still in your .globus directory (same goes with an old cert). To verify that your key and certificate go together
 +
 +  * Find hash of your certificate <​code>​
 +openssl x509 -noout -modulus -in ~/​.globus/​usercert.pem | openssl md5
 +28c79813aefd42f8ca5c0efd76fdf889
 +</​code>​
 +  * Find hash of your private key <​code>​
 +openssl rsa -noout -modulus -in ~/​.globus/​userkey.pem | openssl md5
 +Enter pass phrase for /​home/​scrosby/​.globus/​userkey.pem:​ *****
 +28c79813aefd42f8ca5c0efd76fdf889
 +</​code>​
 +  * Find hash of your certificate request <​code>​
 +openssl req -noout -modulus -in ~/​.globus/​usercert_request.pem | openssl md5
 +28c79813aefd42f8ca5c0efd76fdf889
 +</​code> ​
 +
 +If the output is the same, the key and the cert are matched. If they are different, they don't belong together
 +==== Export your old certificate from your browser ====
 +
 +=== Chrome for Mac OS X (or simply Mac OS X)===
 +
 +  * Type in the following URL: **[[chrome://​chrome/​settings/​]]** or press ''​cmd-,''​ to bring up the chrome preferences:​ {{ :​public:​chrome_settings.png?​direct&​300 |}}
 +  * Click on "Show advanced settings..."​ {{ :​public:​manage_certs.png?​direct&​300 |}}
 +  * Click on the "​Manage certificates..."​ button
 +  * This should launch the "​Keychain Access"​ application from which you should be able to find your grid certificate (probably in the "​login"​ keychain and in the "My Certificates"​ catagory): {{ :​public:​keychain_access_export.png?​direct&​300 |}}
 +  * Right click on the grid certificate and choose **Export**
renewal.txt · Last modified: 2012/08/13 16:37 by admin
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki