Lund University                Department of Physics

Research         Staff         Address         Education         Events         Links

Grid certificates information

As an employee of the Lund University, you are entitled to receive personal Grid certificate from the Lund University authority via the TERENA Certificate Service portal, see detailed instructions below. Same applies to all Swedish and Danish universities and research organisations.

Some of us are more accustomed to NorduGrid or CERN certificates, which are still acceptable, but it is strongly recommended to switch to the ones issued by TERENA, as both NorduGrid and CERN may eventually discontinue issuing certificates to Lund University employees.

How to obtain a Grid certificate from TERENA

  1. Make sure you have a valid Lund University NetID (as used with e.g. LUCAT) and password
  2. Go to TERENA Certificate Service (TCS) Portal and follow the instructions:
    • type Lund University as Indentity Provider
    • enter your LU login
    • select Grid Premium option
    • leave the CSR field blank (other options are for special cases)
    • click "Request Certificate"
  3. The certificate will be generated in your browser; see further instructions on how to extract it as files needed to create Grid proxy certificates.

How to obtain a Grid certificate from CERN

CERN issues certificates to all registered users; this may change in future.

  1. Make sure you are registered as CERN user and have access to e.g. lxplus or other CERN IT services
  2. Go to the CERN Certification Authority site and follow the instructions (e.g. select "New user certificate")
  3. Chose "High Grade" encryption option, and click "Download certificate" to install it in your browser.

How to use the certificate

When you follow procedures above (either TERENA or CERN), the certificate will be installed in your browser. It can already be used with some Web-based tools, like e.g. the VO registration form. However, to submit jobs or move files using command line tools, you'll need to extract it from the browser, and convert to two certificates: public and private.

  1. Go to your VO (typically, ATLAS VO or ALICE VO) and follow the instructions to request membership. If you are already a member, you can always add your new certificate as a secondary using "Request new certificate" button in the "Certificates" pannel of you personal info page.
  2. To convert the browser certificate to a public/private pair for command-line tools:
    • Create a directory ~/.globus in your home folder:
      mkdir ~/.globus
    • Save a copy of (export) the certificate using your browser tools, in a .p12-file, for example, terena-15.p12 (exact procedure depends on your browser), in your ~/.globus directory
    • Convert the .p12 certificate to the public/private key pair:
      openssl pkcs12 -nocerts -in terena-15.p12 -out userkey-terena13.pem
      openssl pkcs12 -clcerts -nokeys -in terena-15.p12 -out usercert-terena13.pem
      chmod 600 userkey-terena13.pem
      Be prepared to type many passwords: some for your browser, some for the certificate itself. They are all different, and not the same as your LU password
    • For advanced users: you may need to install TERENA's authority public certificates. If you have already Grid tools installed, most probably you have it already. If arcproxy or voms-proxy-init commands with the new TERENA certificate say "can not validate", then you need to do the following:
      These files must be unpacked into folder /etc/grid-security/certificates/, which requires system privileges. If you have no system privileges, unpack the files into any other place (e.g. ~/grid-security/certificates), and point environment variable X509_CERT_DIR.
      If you have system privileges, simply install package ca-terenaesciencepersonalca (Ubuntu) or ca_TERENAeSciencePersonalCA (Scientific Linux), available from the NorduGrid repository..
      NOTE: when creating an own X509_CERT_DIR, make sure it is not empty, and contains all the relevant CA certificates (TERENA, CERN etc). See e.g. NorduGrid's CA repository for the latest versions. Normally, all these certificates need to be installed.

Useful links

When things don't work, contact:
Oxana Smirnova
Florido Paganelli
Balazs Konya

    Last Updated: