Skip to content

How to get a Grid User Certificate

A Grid User Certificate is a personal certificate that can be used for e-Science authentication.

The Certificate Authority has transitioned to HARICA in 2025.

Important Note:

  • HARICA-issued certificates are not compatible with Janus authentication.
  • The Distinguished Name (DN) of the certificate has changed. You must update your new certificate in all relevant applications (e.g., IAM, Helpdesk, GOGDB).

Another option is to use the CERN Certificate Authority (CA) if you have a CERN account: https://ca.cern.ch/ca/

NB : The user is responsible for ensuring the escrow and backup of the private keys of the certificates issued.

How to Request a Personal Certificate via HARICA

(For CNRS or Université Savoie Mont-Blanc users)

Access the HARICA Portal

Go to the HARICA portal : https://cm.harica.gr/

Log In

  • On the login page, click "Academic Login".
  • On the "Find Your Institution" page :
  • Type "CNRS" and select "CNRS - Units staff".

You will be redirected to CNRS (Janus) login page for authentication.

Request a Certificate

  • In the left-side menu, click "IGTF Client Auth".
  • Select "GÉANT Personal Authentication" and click "Next".
  • Review your request and accept the terms and conditions.

Generate Your Certificate

  • On the dashboard, find your new certificate under "Ready Certificates".
  • Click "Enroll your certificate".
  • Click "Generate Certificate" and fill in the form:
  • Algorithm: RSA (default)
  • Key size: 4096
  • Set and confirm a passphrase
  • Click "Enroll Certificate".

Download Your Certificate

Once ready, click "Download" to save your certificate file.

Analyse the content of a new certificate

This can be done with openssl. First enter :

openssl pkcs12 -in <usercertkey.p12.p12> -nokeys -out <usercert.pem>
You will need to provide the passphrase used to encrypt the pkcs#12 file. Then use the following command to display the content of the certificate.

openssl x509 -in usercert.pem -noout -text

Import your personal certificate in your browser

The downloaded certificate is in PKCS12 format. It can be loaded into the browser or transformed to x509 format for use with grid tools.

A detailed documentation (in french) is available at : https://services.renater.fr/tcs/faq/tcs_personnes/export_import#importer_une_sauvegarde_de_certificat_dans_mon_navigateur

In Firefox, click Options -> Advanced -> View Certificates:

  • In the Certificate Manager window, make sure that the "Your Certificates" tab is selected.
  • Click on the Import button.
  • Open the .p12 or .pfx file with your certificate.
  • Provide the private key password if needed. You should then see the imported certificate in the list of installed certificates.

Store the certificate on Linux servers

If you wish to run grid jobs, you need to import your certificate on lappui/lapthui/lappusmb (MUST), cca (CC-IN2P3) or lxplus (CERN) servers.

Export you certificate from your web browser parameters and register it on your computer with the PKCS12 format as usercertkey.p12 file.

Copy the registered usercertkey.p12 file into the desired Linux server in the .globus directory of your Linux account.

mkdir $HOME/.globus (if not existing)

In your $HOME/.globus directory, convert it to pem format and adjust permissions on the generated files:

chmod 600 usercertkey.p12
openssl pkcs12 -nocerts -legacy -in usercertkey.p12 -out userkey.pem
openssl pkcs12 -clcerts -nokeys -legacy -in usercertkey.p12 -out usercert.pem
chmod 400 userkey.pem #private key
chmod 444 usercert.pem #public cert

See the Distinguish NAme (DN) and the expiration date of a certificate

openssl x509 -in  usercert.pem -noout -subject -enddate

Test your certificate

voms-proxy-init
voms-proxy-info