How to get a Personal DOEGrids Certificate
for Fermilab Staff and Users

If you have a valid certificate already and you need to renew it before it expires, go to How to Renew a DOEGrids Personal Certificate.

Look for the reference book icons for links to supplementary information.

Basic Requirements

• Netscape, Mozilla or Firefox requires JavaScript support.
• Internet Explorer requires ActiveX (at the least enable Prompt for Download signed ActiveX controls in the Security Settings tab Advanced settings of the Internet Options control panel ).
• Internet Explorer users at Fermilab should have the Microsoft Hotfix Q323172 already installed (if not, install it first). Consult your system administrator concerning hotfix installation.
• Safari on Macintosh: The process does not work with Safari at this time. Use Firefox .

Before you get your DOEGrids Personal Certificate

Before starting, determine which affiliation and sponsor to choose. At Fermilab, the approval process depends on what your Fermilab affiliation is, and in some cases, for what purpose you plan to use the certificate. Once you get a certificate, you can of course use it for any purpose.

• SAM users from CDF and DZero are asked to choose PPDG for their affiliation, and their PI as their sponsor.
• USCMS users: Please see http://www.uscms.org/SoftwareComputing/Grid/GettingStarted/certificate_procedure.html for information.
• Fermilab employees, visitors, and contractors are eligible to get DOEGrids certificates under the auspices of Fermilab as long as they have a valid Fermilab ID. Fermilab users (other than CDF, DZero and USCMS as discussed above) are asked to choose FNAL for their affiliation, and their supervisor as their sponsor.
• Everyone needs to install the DOEGrids and ESnet CA (Certificate Authority) certificates into your brower before starting the request progress you can find instructions on Trusting Certificates and CA Certificate Downloads.

Note that a DOEGrids certificate is good for one year. You will receive notices from DOEGrids prior to certificate expiration so that you can renew it and avoid an interruption in service.

How to request a DOEGrids certificate

• First print out these instructions, or copy them somewhere so that you can access them without use of a browser window.
• Close all browser sessions. Then establish a new browser session using the same user account on the same machine and same browser (and browser version) as the one into which you plan to initially import your certificate. Same user account
• Go to http://pki1.doegrids.org and select the "Enrollment" tab. (We are intentionally steering you away from the instructions on the DOEGrid site; many have found them confusing.)
• Select "New user" on the left hand side. This takes you to the DOEGrids Subscriber Enrollment page, the top of which is displayed below. The request form is on this same enrollment page; we provide instructions for filling out each field below.

Subscriber's Identity

Enter your full name as you want it to appear in the certificate.

Enter your commonly used email address.

 

Contact Information

Enter your fnal.gov email address if you have one. (If you choose FNAL as your affiliation, the approval process requires that this be your fnal.gov address.)
Enter your office phone number, either at Fermilab or at your home institution.

Select your affiliation (also called "Registration Authority") from the pull-down menu.

Sponsor Information

Enter the name of your principal investigator or your supervisor as your sponsor (your sponsor must be able to vouch for you; he or she is not responsible for approving or denying your request; approval is handled by another process).

Enter the sponsor's email address (required to be an fnal.gov address if FNAL affiliation chosen).

Enter the sponsor's telephone number.

Additional Comments

Enter as needed.
If you had a certificate but it expired and you are a grid user, it is desirable to keep the same DN so that you don't need to reregister with your VO, wait for the new DN to be propagated to the authorization lists, and
potentially involve VO or site admins. Here in the comments field, enter your previous CN (e.g., Jane Smith 876543) and state that this is your previous CN and you'd like to reuse it.

Challenge Phrase Password (Optional)

This password is only used if you should ever need to revoke your own certificate via this website. Enter and a password, and confirm it.

Public/Private key information

(No information to enter)

Microsoft Hotfix May be Required

(No information to enter)

Cryptographic Provider

Linux or other UNIX Mozilla/Firefox/Netscape users: select 2048(High grade)

Windows Mozilla/Firefox/Netscape users: select "Strong Cryptographic Provider".
Windows IE users: select "Microsoft Enhanced Cryptographic Provider".

Click "Submit." . Upon Submit

Click "Yes" on the dialog box that tells you to only allow trusted sites to request a certificate for you and asks you if you want to proceed. Your browser should then point to a page that says "Request successfully submitted." and displays a request number. Make a note of the request number.

Get your certificate, and import it into your browser

You will receive email notification from DOEGrids stating whether your request was approved or denied. If you don't get email in 24 hours, call the helpdesk, at 840-2345. They will need the request number in order to follow up. The email text for an approved request will look similar to the below. Read it carefully and follow the instructions.

Your Personal certificate request has been processed successfully.
SubjectDN= CN=Your Name xxxxxx,OU=People,DC=doegrids,DC=org
IssuerDN= CN=DOEGrids CA 1,OU=Certificate Authorities,DC=DOEGrids,DC=org
notAfter= Sep 30, 2006 11:45:39 AM
notBefore= Sep 30, 2005 11:45:39 AM
Serial Number= xxxxxx

To get your certificate, please follow this URL:
https://pki1.doegrids.org:443/displayBySerial?op=displayBySerial&serialNumber=xxxx
And then click the 'Import your certificate' button at the bottom of this page.
[Note: Some browsers import successfully without indicating this to you.]

Attention:
You need to be running the same browser, on the same machine,logged in as the same user, as you were when you made the certificate request.

After importing your certificate, export your certificate and the private key for Grid use. Kindly follow the instructions on http://www.doegrids.org/pages/cert-request.html#Globus

Please contact your RA if there is any problem.

Notes:

• If you are using Mozilla or Firefox and have set a Master Password on your Software Security Device (the password and certificate database), a dialog box requesting the Master Password may appear. If so, enter the password to permit the importation of the certificate.
• To export your certificate, go to How to Import and Export (Backup) a Personal Certificate into and from Applications .

Using Globus tools for submitting grid jobs from Linux/UNIX

If you will be using Globus tools to run grid jobs from a Linux or other UNIX machine, you need to be able to get a proxy certificate. To do so, your certificate and user key need to be in PEM format. To convert them from their original PKCS#12 format to PEM:

• Export your certificate from your browser.
• Convert the certificate using the openssl command as shown (use your actual .pl2 certificate filename with no angle brackets; use the output name usercert.pem as shown):
  openssl pkcs12 -in <YourCert>.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
• To get the encrypted private key (again use your actual .pl2 certificate filename; use the output name userkey.pem as shown):
  openssl pkcs12 -in <YourCert>.p12 -nocerts -out $HOME/.globus/userkey.pem
• You must set the mode on your userkey.pem file to read/write only by the owner, otherwise grid-proxy-init will not use it (use the command
  chmod go-rw $HOME/.globus/userkey.pem).

Adapted from: How to request certificates from the DOEGrids CA, Exporting your key pair for use by Globus grid-proxy-init (scroll down the page about half-way).