How to get a Grid User Certificate

A Grid User Certificate is a personal certificate that can be used for e-Science authentication. Since 2004, the GRID-FR Certification Authority (CA) has been replaced by a new CNRS Trusted Certificate Service (TCS) avaible from https://sesame.cnrs.fr/. From this new service, you will get a personal certificate that can be used to authenticate on certain CNRS services, including Janus and to get access to computing grid resources, clouds and secure websites usage.

NB : The user is responsible for ensuring the escrow and backup of the private keys of the certificates issued.

Request a personal certificate

for CNRS agents

The following details the procedure for obtaining a TCS certificate for CNRS agents. To obtain a certificate, go to the SESAME portal : https://sesame.cnrs.fr/

• Authenticate with Janus,
• Select the "Gérer mes certificats" area
• Reach the https://sesame.cnrs.fr/secure/MANAGE_CERTIFICATE page,
• Then request a new personal certificate,
• Choose a strong password to protect the certificate
• Click on "Générer un certificat".

The generated certificate (.p12 format) is then automatically downloaded to your computer. In parallel, you will be notify by email.

Normally, the certificates are associated with your email address as entered in the RESEDA software, prenom.nom@cnrs.fr or @in2p3.fr.

for others

The following details the procedure for obtaining a TCS certificate for non CNRS agents.

• Go to thehome page of the Sectigo portal : https://cert-manager.com/customer/renater/idp/clientgeant
• Authenticate yourself with the Identity Provider (IdP) of your administrative establishment,
• Select the Certificate profile : "GEANT Personal Authentication", and complete the following :
  • Enrollment Method: KeyGEneration
  • Key Type: RSA - 2048
  • Algorithm: AES256-SHA256
• Choose a strong password to protect the certificate,
• Submit to generate the certificate.

The generated certificate (.p12 format) is then automatically downloaded to your computer. In parallel, you will be notify by email.

Analyse the content of a new certificate

This can be done with openssl. First enter :

openssl pkcs12 -in <usercertkey.p12.p12> -nokeys -out <usercert.pem>

You will need to provide the passphrase used to encrypt the pkcs#12 file. Then use the following command to display the content of the certificate.

openssl x509 -in usercert.pem -noout -text 

Import your personal certificate in your browser

The downloaded certificate is in PKCS12 format. It can be loaded into the browser or transformed to x509 format for use with grid tools.

A detailed documentation (in french) is available at : https://services.renater.fr/tcs/faq/tcs_personnes/export_import#importer_une_sauvegarde_de_certificat_dans_mon_navigateur

In Firefox, click Options -> Advanced -> View Certificates:

• In the Certificate Manager window, make sure that the "Your Certificates" tab is selected.
• Click on the Import button.
• Open the .p12 or .pfx file with your certificate.
• Provide the private key password if needed. You should then see the imported certificate in the list of installed certificates.

Import the certification chain in your browser

Trust the CNRS's CA

You may need to import and activate CNRS's Certificate Authority (CA) chain into your browser.

All the needed information is here : https://wiki.geant.org/display/TCSNT/TCS+Trust+Anchors+and+Intermediates#TCSTrustAnchorsandIntermediates-PrivateResearchandEducationTrustRoots

The CA certs can be downloaded from :

• Private Research and Education Trust Roots : https://aide.core-cloud.net/certificats/SiteAssets/Pages/PersonnelDemanderCertificat/ResearchandEducationTrustRSARootCA.crt
• Private Authentication Intermediate (issuing) Authority certificates : https://wiki.geant.org/display/TCSNT/TCS+Trust+Anchors+and+Intermediates#TCSTrustAnchorsandIntermediates-PrivateResearchandEducationTrustRoots

Store the certificate on Linux servers

If you wish to run grid jobs, you need to import your certificate on lappui/lapthui/lappusmb (MUST), cca (CC-IN2P3) or lxplus (CERN) servers.

Export you certificate from your web browser parameters and register it on your computer with the PKCS12 format as usercertkey.p12 file.

Copy the registered usercertkey.p12 file into the desired Linux server in the .globus directory of your Linux account.

mkdir $HOME/.globus (if not existing)

In your $HOME/.globus directory, convert it to pem format and adjust permissions on the generated files:

chmod 600 usercertkey.p12
openssl pkcs12 -nocerts -legacy -in usercertkey.p12 -out userkey.pem
openssl pkcs12 -clcerts -nokeys -legacy -in usercertkey.p12 -out usercert.pem
chmod 400 userkey.pem #private key
chmod 444 usercert.pem #public cert

See the Distinguish NAme (DN) and the expiration date of a certificate

openssl x509 -in  usercert.pem -noout -subject -enddate

Test your certificate

voms-proxy-init
voms-proxy-info