Getting A User Cert

Summary

A public key certificate is used to uniquely and securely identify a user. Your certificate is used to identify you to the resources that you will be utilizing on the grid. Since this certificate represents the identity of an individual on the grid it is important that steps are taken to ensure that requests are valid and that the person requesting the certificate is verified. Please be patient when initially requesting your certificate.

For more information on how certificates work, please see http://en.wikipedia.org/wiki/Public_key_certificate

Important Notes

1. You must use the same browser to retrieve your certificate that you used to request it. Once you have retrieved your certificate, it can be exported to other browsers, mail clients, and your Globus submit host.

2. Problems have been reported with IE7. Both IE6 and Firefox are known to work correctly, we recommend using one of these browsers.

3. You will need to identify a sponsor who can vouch for your identity. This sponsor should already have a DoE certificate or be known to the Registration Authority. For more information see https://twiki.grid.iu.edu/twiki/bin/view/Security/OsgRaOperations#Instructions_for_Sponsors

Apply for a Certificate

To apply for a DoE Grid certificate, please follow these steps.

1. Import the DOEGrids Certificate Chain. Importing the Chain of certificate authorities into your browser, and setting appropriate trust policies for them, will make it easier for you to use the DOEGrids CA service and improve the security of SSL sessions with services using DOEGrids CA certificates. See http://www.doegrids.org/pages/How-To-Import.html for instructions.

2. Request a personal certificate. When requesting your certificate you will be asked to enter the information below. As part of the approval process, your identity must be verified. In order to process your request a sponsor must be identified who can verify your identity. The sponsor will be contacted by the Registration Authority (RA) to verify the authenticity of both the request and the requester. The RA can accept confirmation by telephone directly, if using previously validated telephone number for the sponsor, or by email if it is digitally signed with the sponsor's DoE certificate to verify their identity. You do not need the optional password. You can request a certificate by selecting "New User" at http://pki1.doegrids.org/ca/

• Full Name
• Email
• Phone
• Affiliation (select OSG)
• Virtual Organization (select NYSGrid)
• Name of Sponsor
• Sponsor’s Email
• Sponsor’s Phone Number
• Additional Comments

3. Export your certificate. Follow the instructions at http://www.doegrids.org/pages/cert-request.html for exporting your key pair. You can then import this key pair into another browser and into your email client in order to send digitally signed email. This page also provides instructions for generating the usercert.pem and userkey.pem files that you will need to generate a globus proxy. Signed email is important because it is OSG policy to conduct business using digitally signed email to ensure that the sender is who they claim to be.

4. Request NYSGrid VO Membership. The final step is to request membership in the NYSGrid Virtual Organization. Open the VOMS page at https://dylan.ccr.buffalo.edu:8443/voms/NYSGRID/ and select "New User Registration" on the left-hand menu. If you have properly imported your certificate into your browser you should see your certificate subject, name, and email address filled out for you on the membership form. If you do not see this information then your certificate has not been imported into your browser - you must do this before you proceed. Complete the rest of the information and click the "I have read and agree to the VO's usage rules" button. This will initiate the process of joining the NYSGrid VO and send mail to the VO administrators. When your request has been approved you will receive another email asking you to confirm your membership. Follow the instructions in this email to activate your VO membership.

5. Once your VO membership has been confirmed please allow 4 - 12 hours for your membership information to propagate to the various gatekeepers.