How to obtain a new GRID certificate

Follow the procedure described in

How to renew your GRID certificate or manage your account

Use the menus at

Extracting usercert.pem and userkey.pem from a PKCS12 bundle file

  1. Save your latest valid GRID certificate from your web browser were it was installed to a PKCS12 file, e.g. to MyCertificate.p12
    The procedure to export the certificate varies from browser to browser.
    For Firefox, the steps to follow are:
    1. Edit → Preferences → Advanced → select Certificates tab → View Certificates → Your Certificates
    2. Select the latest valid certificate to be saved and click the "Backup..." button
    3. Save the file, e.g. as MyCertificate.p12 (You will be asked to provide a password, to be used later. Use a complex one!)
  2. Transfer the file MyCertificate.p12 to your home directory at
  3. Login to and use the following commands (use cut&paste)
    1. openssl pkcs12 -nocerts -in ~/MyCertificate.p12 -out ~/userkey.pem
      • you will be asked for the password used to create the PKCS12 file
      • you will then be asked to provide a PEM pass phrase for the key encryption. Use a complex one!
    2. openssl pkcs12 -clcerts -nokeys -in ~/MyCertificate.p12 -out ~/usercert.pem
      • you will be asked for the password used to create the PKCS12 file
    3. chmod 0400 ~/userkey.pem
    4. chmod 0644 ~/usercert.pem
    5. mkdir -p ~/.globus
    6. mv -f ~/MyCertificate.p12 ~/userkey.pem ~/usercert.pem ~/.globus
  4. You may now copy the directory ~/.globus from to any UNIX machine from where you need to access the GRID, e.g.
    scp -rp ~/.globus

Generate a PKCS12 bundle file from existing PEM files

To generate a PKCS12 bundle file from existing PEM files (e.g. ~/NewCertificate.p12 from ~/.globus/userkey.pem and ~/.globus/usercert.pem)
on, use the command:

  • openssl pkcs12 -export -in ~/.globus/usercert.pem -inkey ~/.globus/userkey.pem -name "My New Certificate" -out ~/NewCertificate.p12
    • you will be asked for the PEM pass phrase used to encrypt the PEM key
    • you will be asked to provide an export password to be used later. Use a complex one!

-- IoannisPapadopoulos - 2009-10-27

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2016-03-20 - LouisCie
  • Edit
  • Attach
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback