How to request a SWITCHpki long lived Grid User Certificate

This document provides instructions on how to obtain a SWITCHpki long lived Grid user certificate (valid for 1 year). Only members of the organizations which participate in the SWITCHpki are entitled to request such a certificate. To receive a SWITCHpki Grid user certificate proceed with the steps indicated below.

If you already have or had in the past (starting from June 2009) a SWITCHpki Grid user certificate, please read the Certificate renewal/replacement/revocation.

Note: SWITCH recommends using SLCS certificates in the first place, for which more information can be found here SLCS

If you are an RA please go to the RA page

Step 1: Identity vetting

  1. As of July the 6th 2009 user identity vetting requires face to face registration every three years: this means that you will have to appear in person at the RA of your organization with your (still valid) photo ID document. Notice also that any identity vetting that occurred before this date is not considered valid and you should therefore redo it.

    You can find the contact information for your RA here.

    Do not hesitate to contact the SWITCH grid team at grid@switch.ch should you need help in getting in touch with the RA of your home organization.

    As an alternative to appearing in person at the RA you can also use the Yellow Identification service (provided by the Swiss post at a cost of 20 CHF). This allows you to send a validated copy of your identity document (see above) to the RA.

  2. You must sign the Certificate Application Form, which is provided to you by your RA.

    The Certificate Application Form is filled in by your RA, who will ask you for your e-mail address at your organization.

    Your RA will then ask you to sign the Certificate Application Form. If you used the Yellow Identification service the Form will be sent to you via normal post or as a scanned document in an e-mail: you must sign and send it back to your RA either via normal mail or as a scanned document in an e-mail.
Notice that your RA will give you a copy of the Request Form, which is valid for three years, and the details of which will be used for certificate renewals as well: please make sure that you keep this document and that you have it at hand when requesting a new certificate.

Step 2: Invitation

You must now wait for the invitation e-mail (sent to the address specified in the Certificate Application Form) from QuoVadis (the SWITCHpki RA certificate provider) with subject

SWITCHpki user certificate request for YOUR_NAME:your confirmation required.

where YOUR_NAME is replaced with your First and Second Names.

The e-mail contains a link to the QuoVadis system which you must open using your browser: the supported browsers comprise Microsoft Internet Explorer on Windows, Safari on Mac, Mozilla Firefox on Windows/Linux/Mac.

You must now login using your e-mail address (your e-mail address from your Organization) as username; as Shared Secret Answer (the password) you will be asked to enter a (case sensitive) one that only you can know based on your identity vetting records.

Notice that the invitation is only valid for a week, and you should therefore make sure to complete the invitation's steps within seven days from the date you received the invitation itself.

Should you have any problems with the invitation, please contact pki@switch.ch.

Step 3: Submission of your certificate request

You have received the invitation e-mail and logged in as described in Step 2.

You must now select/fill in the following fields:
  1. Key Type/Size: select High Grade if it is not already set.

  2. Certificate password: choose a six character password as described in the web page. This password will be needed to download the certificate once it is issued.
Click on the Confirm button: the private key will be created within your browser and the certificate request submitted to the QuoVadis system: the certificate will be issued automatically and an e-mail of confirmation will be sent to your e-mail address, with subject

SWITCHpki user certificate for YOUR_NAME issued

where YOUR_NAME is replaced with your First and Second Names.

IMPORTANT: Please notice that should you lose/erase the private key at a later stage, you will have to redo the whole process and request a new certificate. This also means that in case you used your key pair to encrypt e.g. e-mails, you will not be able to read these any more. You are strongly encouraged to make a backup of your certificate (see Step 5).

Step 4: Download your certificate

Click on the link contained in the confirmation e-mail as described at the end of Step 3: you will be asked to enter your e-mail address (your e-mail address from your Organization) and your certificate password, which is the one that you specified in Step 3. Upon successful authentication you will be able to download your certificate (Install Your Certificate button). Should you have any problems in downloading your certificate, please contact the SWITCHpki RA at pki@switch.ch for further information.

Step 5:Backing up/converting your certificate

  • Exporting/backing up your certificate:

    You have now successfully downloaded your certificate in your browser. It is strongly recommended to make a backup of your certificate! Most browsers allow you to export the certificate in PKCS #12 format (sometimes also referred to as "PFX"), so you should choose this format, if available. Protect the private key with a strong passphrase and store the backup at a safe location. Should you have any problems backing up your certificate, please contact the SWITCH grid team at grid@switch.ch .

    Notice also that using grid user certificates for (e-mail) encryption is discouraged; if you lose/erase your certificate/private key pair and you do not have a backup of your certificate, you will not be able to read any document/e-mail that you encrypted with the (lost) key pair.

  • Converting your PKCS #12 certificate:

    In oder to use your credentials in a grid environment it is oftentimes necessary to convert your PKCS #12 certificate (which contains both your private key and your certificate) into two separate files containing one the private key and the other the certificate (in pem format). In oder to do so use the following commands 

    
openssl pkcs12 -in export.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in export.p12 -nocerts -out $HOME/.globus/userkey.pem

# The user certificate can safely be world readable, but userkey.pem
# must only be readable by you!
chmod 0400 $HOME/.globus/userkey.pem
    Further information on openssl commands is available here.

    • As mentioned above your private key and your certificate are normally kept in the .globus directory in your home diectory: please make sure that the private key is always encrypted! it is also recommended that be readable by you and you only.

    For general enquiries/problems, or to provide feedback you are encouraged to contact the SWITCH grid team at grid@switch.ch