- Progetti & Gruppi di lavoro
- Calcolo scientifico
- E-Infrastructure for E-Science
- Cloud Computing
- Learning Infrastructure
- E-Identity
- Gruppo di lavoro – ICT Law
- Gruppo di lavoro – Mail
- Gruppo di lavoro – Media
- Gruppo di lavoro – Rete
- Gruppo di lavoro – Aquisti IT
- Gruppo di lavoro – Sicurezza
- Gruppo di lavoro – Storage
How to request a SWITCHpki long lived Grid User Certificate
This document provides instructions on how to obtain a SWITCHpki long lived Grid user certificate (valid for 1 year). Only members of the organizations which participate in the SWITCHpki are entitled to request such a certificate. To receive a SWITCHpki Grid user certificate proceed with the steps indicated below.
If you already have or had in the past (starting from June 2009) a SWITCHpki Grid user certificate, please read the Certificate renewal/replacement/revocation. Note: SWITCH recommends using SLCS certificates in the first place, for which more information can be found here SLCS If you are an RA please go to the RA pageStep 1: Identity vetting
-
As of July the 6th 2009 user identity vetting requires face to face
registration every three years: this means that you will have to
appear in person at the RA of your organization with your (still valid) photo ID
document. Notice also that any identity vetting that occurred before this date
is not considered valid and you should therefore redo it.
You can find the contact information for your RA
here.
Do not hesitate to contact the SWITCH grid team at grid@switch.ch should you need
help in getting in touch with the RA of your home organization.
As an alternative to appearing in person at the RA you can also use the Yellow Identification service (provided by the Swiss post at a cost of 20 CHF). This allows you to send a validated copy of your identity document (see above) to the RA.
- You must sign the Certificate Application Form, which is provided to you by your RA. The Certificate Application Form is filled in by your RA, who will ask you for your e-mail address at your organization. Your RA will then ask you to sign the Certificate Application Form. If you used the Yellow Identification service the Form will be sent to you via normal post or as a scanned document in an e-mail: you must sign and send it back to your RA either via normal mail or as a scanned document in an e-mail.
Step 2: Invitation
You must now wait for the invitation e-mail (sent to the address specified in the Certificate Application Form) from QuoVadis (the SWITCHpki RA certificate provider) with subject SWITCHpki user certificate request for YOUR_NAME:your confirmation required. where YOUR_NAME is replaced with your First and Second Names.The e-mail contains a link to the QuoVadis system which you must open using your browser: the supported browsers comprise Microsoft Internet Explorer on Windows, Safari on Mac, Mozilla Firefox on Windows/Linux/Mac.
You must now login using your e-mail address (your e-mail address from your Organization) as username; as Shared Secret Answer (the password) you will be asked to enter a (case sensitive) one that only you can know based on your identity vetting records. Notice that the invitation is only valid for a week, and you should therefore make sure to complete the invitation's steps within seven days from the date you received the invitation itself. Should you have any problems with the invitation, please contact pki@switch.ch.Step 3: Submission of your certificate request
You have received the invitation e-mail and logged in as described in Step 2. You must now select/fill in the following fields:- Key Type/Size: select High Grade if it is not already set.
- Certificate password: choose a six character password as described in the web page. This password will be needed to download the certificate once it is issued.
Step 4: Download your certificate
Click on the link contained in the confirmation e-mail as described at the end of Step 3: you will be asked to enter your e-mail address (your e-mail address from your Organization) and your certificate password, which is the one that you specified in Step 3. Upon successful authentication you will be able to download your certificate (Install Your Certificate button). Should you have any problems in downloading your certificate, please contact the SWITCHpki RA at pki@switch.ch for further information.Step 5:Backing up/converting your certificate
You have now successfully downloaded your certificate in your browser. It is strongly recommended to make a backup of your certificate! Most browsers allow you to export the certificate in PKCS #12 format (sometimes also referred to as "PFX"), so you should choose this format, if available. Protect the private key with a strong passphrase and store the backup at a safe location. Should you have any problems backing up your certificate, please contact the SWITCH grid team at grid@switch.ch .
Notice also that using grid user certificates for (e-mail) encryption is discouraged; if you lose/erase your certificate/private key pair and you do not have a backup of your certificate, you will not be able to read any document/e-mail that you encrypted with the (lost) key pair.In oder to use your credentials in a grid environment it is oftentimes necessary to convert your PKCS #12 certificate (which contains both your private key and your certificate) into two separate files containing one the private key and the other the certificate (in pem format). In oder to do so use the following commands
Further information on openssl commands is available here.openssl pkcs12 -in export.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem openssl pkcs12 -in export.p12 -nocerts -out $HOME/.globus/userkey.pem # The user certificate can safely be world readable, but userkey.pem # must only be readable by you! chmod 0400 $HOME/.globus/userkey.pem