As an employee of the Lund University, you are entitled to receive personal Grid
certificate from the Lund University authority via the TERENA Certificate Service portal,
see detailed instructions below. Same applies to all Swedish and Danish universities
and research organisations.
Some of us are more accustomed to NorduGrid or CERN certificates, which are still acceptable,
but it is strongly recommended to switch to the ones issued by TERENA, as both NorduGrid and
CERN may eventually discontinue issuing certificates to Lund University employees.
How to obtain a Grid certificate from TERENA
- Make sure you have a valid Lund University NetID (as used with e.g. LUCAT) and password
- Go to TERENA Certificate Service (TCS) Portal and
follow the instructions:
- type Lund University as Indentity Provider
- enter your LU login
- select Grid Premium option
- leave the CSR field blank (other options are for special cases)
- click "Request Certificate"
- The certificate will be generated in your browser; see further instructions on how to extract it as files needed to create Grid proxy certificates.
How to obtain a Grid certificate from CERN
CERN issues certificates to all registered users; this may change in future.
- Make sure you are registered as CERN user and have access to e.g. lxplus or other CERN IT services
- Go to the CERN Certification Authority site and
follow the instructions (e.g. select "New user certificate")
- Chose "High Grade" encryption option, and click "Download certificate" to install it in your browser.
How to use the certificate
When you follow procedures above (either TERENA or CERN),
the certificate will be installed in your browser. It can already be used with some Web-based tools,
like e.g. the VO registration form. However, to submit jobs or move files using command line tools,
you'll need to extract it from the browser, and convert to two certificates: public and private.
- Go to your VO (typically, ATLAS VO or ALICE VO) and follow the instructions to request membership. If you are already a member, you can always add your new
certificate as a secondary using "Request new certificate" button in the "Certificates" pannel of you personal info page.
- To convert the browser certificate to a public/private pair for command-line tools:
- Create a directory ~/.globus in your home folder:
- Save a copy of (export) the certificate using your browser tools, in
a .p12-file, for example, terena-15.p12 (exact procedure depends on your
browser), in your ~/.globus directory
- Convert the .p12 certificate to the public/private key pair:
openssl pkcs12 -nocerts -in terena-15.p12 -out userkey-terena13.pem
Be prepared to type many passwords: some for your browser, some for
the certificate itself. They are all different, and not the same as your
openssl pkcs12 -clcerts -nokeys -in terena-15.p12 -out usercert-terena13.pem
chmod 600 userkey-terena13.pem
- For advanced users: you may need to install TERENA's authority public certificates.
If you have already Grid tools installed, most probably you have
it already. If arcproxy or voms-proxy-init commands with
the new TERENA certificate say "can not validate", then you need to do the following:
These files must be unpacked into folder /etc/grid-security/certificates/, which requires system
privileges. If you have no system privileges, unpack the files into any other place (e.g. ~/grid-security/certificates),
and point environment variable X509_CERT_DIR.
If you have system privileges, simply install package
ca-terenaesciencepersonalca (Ubuntu) or ca_TERENAeSciencePersonalCA (Scientific Linux), available from the
NOTE: when creating an own X509_CERT_DIR, make sure it is not empty, and contains all the relevant CA
certificates (TERENA, CERN etc). See e.g. NorduGrid's CA repository
for the latest versions. Normally, all these certificates need to be installed.
When things don't work, contact: