Fermilab Computing Division
Search

How to get a Kerberos Personal Certificate

...and on Linux, a certificate proxy for use with Globus

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access



 


Before you get your Kerberos certificate

For Windows users in the FERMI domain who use Microsoft tools (Internet Explorer, Outlook, Outlook Express), you don't have to do anything. The collective domain updates take care of installing and updating the Kerberos CA certificate in these applications for you.

For other users, install the Kerberos CA certificate (read "Kerberos Certificate Authority certificate") in your browser (optional but recommended). See the instructions for installing Kerberos CA certificate for Mozilla, Firefox and non-FERMI-domain Windows IE users.

Get your Personal Kerberos Certificate (Windows)

Windows users should use the NetID Manager with the KCA plugin to obtain a KCA certificate. See http://computing.fnal.gov/software/netidmgr/netidmgr-faq.html for more information.

Get your Personal KCA Certificate and Proxy (Linux)

There are two methods to get KCA certificates and proxies in Linux, the first is just a packaging of the second.

Use get-cert

You can use the get-cert Linux utility located in the FNAL Computer Security Tools section.

  1. Download the gzipped tarball and unpack it

    [user@localhost ~]$ tar zxvf get-cert.tar.gz

  2. Change to the kca directory that is created
  3. Make sure you have a valid Kerberos ticket

    [user@localhost ~]$ kinit (type your password)

  4. Execute the get-cert.sh script to get a KCA certificate.

    [user@localhost ~]$ ./get-cert -i

Notes
  • Your certificate is stored in the /tmp area in the x509 and PKCS12 formats
  • The -i argument tries to automatically import your certificate into Mozilla/Firefox. If you run get-cert.sh without the -i option, you will need to convert your certificate and import it manually into your browser afterwards.
  • You will have to close and restart any open browsers after importing a cert for the browser to be able to use the certificate.
  • If get-cert finds a .globus directory, it will extract information out of the certificate to create a proxy file /tmp/x509up_u<uid> where <uid> is the UNIX user id number of the logged-in user account (this file location can be changed by defning and exporting the X509_USER_PROXY environment variable beforehand). This proxy file can then be read by the Globus grid utilities (e.g., globus_url_copy).

    On the receiving end, the grid resources must be configured to trust the KCA and your DN. Both ends need to have the CA public keys and signing policies installed in /etc/grid-security/certificates.

Run commands manually

The required utilties are part of the Fermilab Kerberos packages installed with Fermilab's Scientific Linux. The sequence of steps is to first get a Kerberos ticket (using kinit locally or over a secure connection), secondly get a KCA certificate, convert it to PEM format, and put it into the Kerberos ticket cache (using kx509), and thirdly extract this into a proxy certicate (using kxlist -p). To import your KCA certificate into your browser, you'll need to convert it back to PKCS#12 format afterwards and import it manually.

kinit -r7d -l26h   [username]
kx509
kxlist -p

This sequence leaves the X.509 certificate proxy in the file /tmp/x509up_u<uid> as discussed above. The options shown for the kinit command maximize the ticket's active and renewable lifetimes such that the certificate requested by kx509 will be valid for the seven-day maximum ticket renewable life time. The username argument on the kinit is only needed if the Kerberos principal does not match the current account username.

Convert KCA certificate to PKCS#12 format

The certificate has to be in PKCS#12 format in order to be imported manually into the Mozilla or Firefox browser. Run the following OpenSSL command line, with the appropriate uid and username substitutions (and remove angle brackets), to make this conversion:


openssl pkcs12 -export -passout pass:""  -in /tmp/x509up_u<uid> -out /tmp/<username>.p12 -name "Fermilab"

Then import the file /tmp/<username>.p12 into the Certificate Manager of your browser.

 

Get your Personal KCA Certificate (Macintosh OSX)

To get a KCA certificate on Macintosh OSX:

  1. Download get-cert for Mac OSX from our tools page.
  2. Unzip the contents and put it somewhere that you can easily reach from the command line.
  3. Make sure you have a properly configured krb5.conf located in /etc.
  4. Run get-cert:
    • Open a terminal window.
    • Run: kinit and make sure you get a ticket that's renewable for 7 days. (instructions).
      If you dont have kinit, you can get it from MIT, or use the one packaged with get-cert in the mac_osx/ directory
    • Run: get-cert.sh supplying it with various arguments (such as -ik). Read the supplied README file for more info on the accepted arguments.
    • Follow the onscreen instructions and restart any browsers once the tool has finished.

 

Installing the KCA CA certificate in a browser

This refers to the KCA's Certificate Authority service certificate, not your personal certificate. These instructions for Mozilla, Firefox and non-FERMI-domain Windows Internet Explorer users.

The KCA has a self-signed CA certificate which can be installed in your browser by clicking  Fermilab KCA CA Certificate for browser importation, this works for any browser and operating system combination. When you do this:

Mozilla (or Firefox)
will open a Downloading Certificate window. You should enable all the Trust check boxes and click the OK button. You can optionally examine the certificate with the View button. If you have set a Master Password on your Software Security Device (the password and certificate database), a dialog box requesting the Master Password may appear before you can download and import the certificate. If you are attempting to load a newer version of the CA certificate and is already an existing KCA CA certificate load in your browser, then clicking the above link will not work. You have to delete the old certificate first by selecting the Preferences item under the Edit menu. In the Preferences dialog box open the Privacy & Security item (by clicking on the little plus sign box and click on the Certificates item which appears. Click on the Manage Certificates... to open the Certificate Manager dialog box where you want to select the Authorities tab for Root CA Certificates and scroll down to the Fermilab entry. Select the Kerberized CA entry under Fermilab and click the Delete button to remove it and then click Fermilab KCA CA Certificate link again.
 
Internet Explorer
will likely display a File Download - Security Warning dialog box, you should click the Open button in this dialog. This takes you to a Certificate window where you should click the Install Certificate button to enter the Certificate Import Wizard. Work through this wizard, making sure the Automatically select the certificate store radio button is enabled until you reach and click the Finish button.


 


For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by AH on 8 September 2006.
(Address comments about page to the Computer Security Team.)