[Go to /]

DCA Root Service
DCA Root CA G1

Trusted Certificate Service TCS
Request your instant cert now
Guide and help

Production CA (MS)
Overview
Manage Your Certificates
  (for non TCS users)

Find a local registrar

Classic interface
Help with your request
Host certificate requests
Submit your request
Download your certificate
Renew your certificate
Request revocation

Reliance information
Policy Statement
Reliance Information

NL e-Infra Zero
(training services)


Documentation
Certificate Request Guide
Change a passphrase
RA OpsGuide
OpenSSL for Windows
eToken Guide

Links
EUGridPMA
IGTF
TACAR


switch to print layout
Use the GEANT Trusted Certificate Service TCS

The legacy DutchGrid CA is a 'classic' CA which itself needs to verify your identity and make sure that you actually are who you say you are. This process is not instantaneous: it takes up to two days to complete, and requires you to visit one of our Registration Authorities in-person.
Fortunately, there is a far easier and quicker way to get a certificate suitable for use on the Grid: the GEANT Trusted Certificate Service TCS, provided to all Dutch research and academic institutions through SURFnet, the Dutch Research and Educational Network via the existing connection between your own institution and SURFconext.
The GEANT TCS is operated by DigiCert Inc., which offers a wider range of certificate types, including "Robot" machine-to-machine certificates. Everyone who previously had access only to regular personal certificates, can as of now also get Grid & Authentication certificates via the same portal.

Apply for your certificate now
No access to the TCS service?

  • Test first by going to www.digicert.com/sso and type (part of) the name of your institution
  • No luck finding your organsiation? Ask your institute help desk to request "that the AAI responsible person or SURFnet ICP requests a connection be made to DigiCert in the SURFcontext dashboard and to permit inclusion of the IdP in eduGAIN"
  • You find your institution but cannot log in (it complains about missing attributes) but you are an employee? Ask your institute helpdesk to request "that the eduPersonEntitlement to access the TCS, namely urn:mace:terena.org:tcs:personal-user, is set by default for all employees, since they are eligible anyway because the organization keeps a copy of a photo-ID to fulfil the requirements of the 'Wet op de Loonbelasting'"
  • Still getting stuck and does your institution need help? Tell them to contact the SURFnet product manager for TCS. You can contact your own organisation by mail at scs-ra@instelling.nl

Putting your browser-based eScience certificate into a file

By default, your certificate (and your private key) are located in your browser. You can use this instantly with all web-based services, such as administrative interfaces, VO registration, etc. For use with grid job submission, you should export these to local files on disk, names "usercert.pem" and "userkey.pem", in the following way:

  1. Open the certificate store of your browser or operating system. In Mozilla Firefox 3 (the example shown below), this is located under "Tools", then "Options", "Advanced", and click on "View certificates". In Internet Explorer, go to "Options", "Internte Settings", "Content", and there click "Certificates".



  2. Click "backup your certificate", and also selet "save private key" when asked for. Store the file (it will be called something.p12, since the file format is called PKCS#12), and remember where you wrote it!

  3. Start jGridstart and import your certificate from the PKCS#12 ".p12" file. It is now ready for grid use.
    Alternatively, convert the "p12" file to a user cert and user key file using the command-line tools:
    openssl pkcs12 -nocerts -in cert.p12 -out $HOME/.globus/userkey.pem
    openssl pkcs12 -clcerts -nokeys -in cert.p12 -out $HOME/.globus/usercert.pem 
    chmod 0600 $HOME/.globus/userkey.pem
    chmod 0644 $HOME/.globus/usercert.pem 
          
    and don't forget the last step (the permissions bit) or you will see strange errors.

  4. Go to the registration page of your user community and join a VO, a 'virtual organisation'. A list of frequently used VOs and how to join them is provided by BiG Grid.



Using CSR request files with the TERENA eScience CA

Many grid tools (job submission, file management) use a file-based certificate, typically called "usercert.pem" and "userkey.pem" in a ".globus" subdirectory of your home folder. You can use the TCS eScience CA easily with this kind of set-up, by submissing the corresponding "userrequest.pem" file as a "Certificate Signing Request" (CSR) into the TCS portal.

To generate the certificate request files on a Unix or Linux system (or on Windows with the Cygwin tools):

mkdir $HOME/.globus
openssl req -subj "/CN=Pietje Puk 42" -out $HOME/.globus/userrequest.pem -keyout $HOME/.globus/userkey.pem -new
and then go to the eScience portal, login and select "Upload CSR" instead of browser generation. Submit the "userrequest.pem" file and wait for your certificate to be issued.
In the list of Available Certificates (use the "My Certificates" link on the left-hand menu), click "Download certificate" and save the file as $HOME/.globus/usercert.pem. You're now done!

If you want to import a usercert and userkey file combination into your browser, you can use the jGridstart certificate management tool, or look at the documentation for installation by hand.