Getting a certificate


Request a certificate

To get a certificate by the Austrian Grid, you have to do the following steps.

  1. Open the webpage of the AustrianGrid Certification Authority (CA:https://ca.austriangridca.at/)

    Don't use Microsoft Internet Explorer.

  2. Select Universität Innsbruck in the drop-down menu of Your organisation.

  3. The drop-down menu of Unit in the organisation has some entries:
    zert_eingaben_02
    Select your working group.
    Select Zentraler Informatikdienst Innsbruck if you do not belong to one of the mentioned working groups

    You can also ask for adding your institution of working group to this list. In this case, please fill out this form and send it to:

    GRID Registrierungsstelle (RA)
    Distributed and Parallel Systems group
    Institut für Informatik
    Technikerstr. 21a
    6020 Innsbruck

  4. If you belong to the unit Institut für Astro- und Teilchenphysik, you are asked to select a subunit.

    zert_eingaben_03
  5. As the next step, you have to click on Continue with personal data and enter the data:

    zert_eingaben_04
  6. After entering the personal data click the Enter personal data button and you will see a page repeating all the inputs you have done and showing you your Distinguished Name (DN).

    zert_eingaben_06
  7. After clicking on CN agreed you get page, where you have to select the key size in bit. We recommend 1024 as value.

    zert_eingaben_07
  8. Submit your certificate request. You get the following page:

    zert_eingaben_03

    Read the terms and conditions and follow the steps indicated on the page:

    1. Download the script and call it makerequest.sh.

    2. Run the script on a Linux/Unix machine. The following files will be created: userkey.pem, userrequest.pem, certreqxxxx.txt, certreqxxxx.cnf. The default directory is .globus. If you specify another directory by running the script like e.g. sh makerequest.sh. (current directory), the files will stored there.
      xxxx corresponds to a number.

      Running the script, you will first get some information and eventually a line
      Enter PEM pass phrase:

      Enter a good, long password (alphanumeric) and remember it.
      If you forget it, you have to ask for another certificate.

      The last lines of the script tell you the next step, i.e. to mail the certreqxxx.txt to your Registration Authority (RA).

    3. Then you have to get in contact with your RA. Send to the email-address indicated your certreqxxx.txt-file inline by an email, with the subject: certificate request.

  9. The RA will contact you for a face-to-face meeting. Bring your passport with you. You will get some instructions and your passport will be scanned. After that the RA will send your request to the Certification Authority Administrator of the Austrian Grid. Ask the RA for an account on a grid computer.



Install the Austrian Grid Root certificate to your web browser and email client.

You have to install the Austrian Grid Root certificate to your web browser in order to apply for a membership in a Virtual Organisation (VO) of the Austrian Grid. In your email client you should install this certificate in order to send and receive digitally signed emails and to send encrypted emails.
Do the following steps:

  1. Go to http://ca.austriangridca.at/root.php and download either the root certificate in PEM format or choose Download into browser (=browser your are using, not all browsers installed on your computer).


    ag_ca_install
  2. For installing the certificate in your email client, download the certificate 6e3b436b.0. Change the file ending to .pem and import it into your email client.
    Email client - Thunderbird (German): Extras -> Einstellungen

    zert_install_thund_01

    Zertifikate -> Zertifizierungsstellen -> Importieren.
    Edit the CA-Zertifikat-Vertrauenseinstellungen. Check them as indicated in the screen shot:


    ca_einstellungen
  3. For installing the certificate into your web browser choose the option Download into browser, you will get a pop-up window like this:


    unbek_zertifikat_ca

    Choose the option to accept the certificate always and edit the CA-Zertifikat-Vertrauenseinstellungen.



Test your certificate and use it for the first time

Some days after the RA has sent your request to the CA, you will receive a digitally signed email by the CA with your certificate attached. Test your certificate and then use it for first time, to answer this email.



Download the certificate and install it


  1. Download your certificate and rename it to usercert.pem.

  2. Put it in the same directory, where your userkey.pem is located.

  3. Change to read only by command line chmod 444 usercert.pem.

  4. Create a pkcs12-file:
    openssl pkcs12 -export -out mygridcert.p12 -in usercert.pem -inkey userkey.pem -name "Austrian Grid, Vorname Nachname"

    Your are asked for the passphrase of your private key (userkey.pem) and you have to choose a passphrase for the exported file. Recommended is to choose the same passphrase.

  5. Install your certificate into your browser and email client similar as above. For Thunderbird (German): Extras -> Einstellungen

    zert_install_thund_01

    Zertifikate -> Ihre Zertifikate -> Importieren. Choose the mygridcert.p12 file. You have to choose a master password. Recommended is the same as the passphrase above.
    For Firefox (German): Extras -> Einstellungen

    zert_install_fire_01

    Zertifikate anzeigen -> Ihre Zertifikate -> Importieren. Choose the mygridcert.p12 file. You have to choose a master password. Recommended is the same as the passphrase above.



Test your certificate

To be sure that your certificate is OK, do the following steps:

  1. The files usercert.pem and userkey.pem have to be stored in the .globus directory of your grid-machine.

  2. Type grid-proxy-init to create a proxy:

    create_proxy_01
  3. Enter you passphrase you have entered running makerequest.sh.

  4. If everything is OK, you will get an output like this:

    create_proxy_02

Your certificate is correct and now you can really use it. Answer now the email of the CA.



Send a digitally signed email

To send a digitally signed email, compose a new message. You will find a S/MIME button with an arrow on the right side. If you click on this arrow you see the options you have:

zert_thund_01

You can choose if your message should be encrypted or not, then you can click whether it should be sent signed. An encrypted message can only be sent, if the certificate of the recipient is already stored in you email client.
Reply to the email of the CA, telling that everything is OK with your script (if it passed the tests in the last section) and sign this email digitally.