The UK GSC has a document showing the steps required. It isn't that
readable, being more of a QA procedure description but it is there.
http://www.grid-support.ac.uk/downloads/pdf/7100_NS_application_for_cert
ificate_02.pdf
Section 7160+ explains the export process.
Section 7330+ explains the globus specific commands
I'll get it put in a more user-friendly place and form.
John
> -----Original Message-----
> From: LHC Computer Grid - Rollout
> [mailto:[log in to unmask]] On Behalf Of Burke, S (Stephen)
> Sent: 14 October 2004 14:34
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] LCG Registration procedure and CA
> Certificate
>
>
> LHC Computer Grid - Rollout
> > [mailto:[log in to unmask]] On Behalf Of David
> Groep said:
> > Was this of any help, or just more confusing??
>
> I think the test of whether something is confusing is to try
> it with a professor and see if they're confused :)
>
> While we're sort of on the subject, my certificates are
> expiring, and having just renewed them in my browser I was
> looking for instructions on how to convert them to .pem.
> However, on both the LCG and gridpp web pages about getting
> certificates the instructions only cover *importing* to
> browsers. I then hunted around for a while and found this in
> the LCG user guide (not hugely easy to find itself, the web
> site is still a maze of twisty little
> passages):
>
> "To be used in the LCG-2 Grid, the certificate must be in PEM
> format. If the certificate is in PKCS12 format (extension
> .p12), then on a machine with the openssl package installed
> it can be converted to PEM (extension .pem) using the pkcs12
> command, in this way:
>
> $ openssl pkcs12 -nocerts -in my_cert.p12 -out userkey.pem
> $ openssl pkcs12 -clcerts -nokeys -in my_cert.p12 -out usercert.pem"
>
> This turns out to be the right answer, but has the small
> problem that my IE at least (6.0) will only export a file
> with a .pfx extension, not .p12. The commands above seem to
> be quite happy with that, but that wasn't obvious even to me
> until I tried it and I've been through this process several
> times before. There is no explanation of how to export the
> cert from the browser for those who don't know.
>
> A couple of other points: those commands create the private
> key world-readable, and the instructions don't explicitly
> tell you to change it (although it is mentioned earlier).
>
> Secondly, the registrar page says that I mustn't store the
> private key on an NFS-mounted disk, and I may be banned if I
> do. Well, I don't have much choice, the RAL UI has its home
> directories on NFS as I guess do most other sites!
>
> Stephen
>
|