• Projects & Working Groups
• Scientific Computing
  • Grid Certificates
    • OpenSSL Commands
    • RA procedures
    • Certificates and Cryptography
  • SLCS
  • VASH
  • Support and Downloads
  • Glossary
  • Contact
• E-Infrastructure for E-Science
• Cooperation
• Mail WG
• Storage WG
• Network WG
• Security WG
• ICT Law WG
• The future at SWITCH

How to request a SWITCHpki Grid User Certificate

This document provides instructions on how to obtain a SWITCHpki Grid user certificate. Only members of the organizations which participate in the SWITCHpki are entitled to request such a certificate. To receive a SWITCHpki Grid user certificate proceed with the steps indicated below.

Note: SWITCH recommends using SLCS certificates in the first place, for which more information can be found here SLCS

WARNING: IF YOU ARE AN RA PLEASE GO TO THE RA PAGE

Step 1: Identity vetting

1. As of July the 6th 2009 user identity vetting requires face to face registration every three years: this means that you will have to appear in person at the RA of your organization with your (still valid) photo ID document. Notice also that any identity vetting that occurred before this date is not considered valid and you should therefore redo it.
   For future/multiple certificate requests, if your identity was already vetted less than three years ago (starting on July the 6th 2009) then just send an e-mail to pki@switch.ch requesting a long-lived Grid user certificate and go to Step 2 directly!
   You find the contact information for the RA here.
   Do not hesitate to contact us at grid@switch.ch should you need help in getting in touch with the RA of your home organization.

   As an alternative to appearing in person at the RA you can also use the Yellow Identification service (provided by the Swiss post at a cost of 20 CHF). This allows you to send a validated copy of your identity document (see above) to the RA.

2. You must sign the Certificate Application Form.
   The Certificate Application Form is filled in by your RA, who will ask you for your e-mail address at your organization.
   Your RA will then ask you to sign the Certificate Application Form. If you used the Yellow Identification service the Form will be sent to you via normal post/fax or as a scanned document in an e-mail: you must sign and send it back to your RA either via normal mail/fax or as a scanned document in an e-mail.

Step 2: Wait for instructions from the SWITCHpki RA

You must now wait for an e-mail (which will be sent to the address specified in the Certificate Application Form) with subject

Instructions on how to submit your SWITCHpki Grid User Certificate Request

from the SWITCHpki RA with further instructions on how to proceed. The e-mail will guide you through the necessary steps to submit your CSR.

Step 3: Submission of the CSR (certificate signing request)

You have received the e-mail from the SWITCHpki RA: follow the instructions therein to submit your CSR.

After the submission of the CSR you will receive an e-mail of confirmation with subject

SWITCHpki Grid user certificate request received.

Step 4: Wait for the certificate to be issued by the SWITCHpki RA

You must now wait for the certificate to be issued by the SWITCHpki RA. Once the certificate is issued you will receive an e-mail with subject

SWITCHpki Grid user certificate issued

if your request was approved, or

SWITCHpki Grid user certificate request rejected

If your request was rejected, then contact the SWITCHpki RA at pki@switch.ch for further information.

Step 5:Download your certificate

Follow the link in the e-mail with the subject

SWITCHpki Grid user certificate issued

and follow the instructions you received in Step 3 with the other e-mail with subject

Instructions on how to submit your SWITCHpki Grid User Certificate Request

Step 6:Exporting/backing up your certificate

You have now successfully downloaded your certificate in your browser.

It is strongly recommended to make a backup of your certificate. Most browsers allow you to export the certificate in PKCS #12 format (sometimes also referred to as "PFX"), so you should choose this format, if available. Protect the private key with a strong passphrase and store the backup at a safe location.

Step 7:Converting your PKCS #12 certificate

In oder to use your credentials in a grid environment it is oftentimes necessary to convert your PKCS #12 certificate (which contains both your private key and your certificate) into two separate files containing one the private key and the other the certificate (in pem format). In oder to do so use the following commands

openssl pkcs12 -in export.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in export.p12 -nocerts -out $HOME/.globus/userkey.pem

# The user certificate can safely be world readable, but userkey.pem
# must only be readable by you!
chmod 0400 $HOME/.globus/userkey.pem

Further information on openssl commands is available here.

As mentioned above your private key and your certificate are normally kept in the .globus directory in your home diectory: please make sure that the private key file is readable by you and you only!

Certificate renewal/replacement/revocation

Step 1 must be repeated every three years. At any other time you can submit a certificate request directly without your RA's intervention/involvement i.e. go directly to Step 3.

Should your private key get compromised please

1. contact the SWITCHpki RA at pki@switch.ch and your RA (see organizations) to immediately revoke the certificate
2. submit a new certificate request starting from Step 3 to get a new certificate.

Should you have any problems please contact the SWITCHpki RA at pki@switch.ch .