How to import the DOEGrids CA certificate chain into your Netscape or IE browser:

Importing the Chain of certificate authorities into your browser, and setting appropriate trust policies for them, will make it easier for you to use the DOEGrids CA service and improve the security of SSL sessions with services using DOEGrids CA certificates.

1. Go to: http://pki1.doegrids.org
2. Select "Retrieval" tab
3. Select "Import CA Certificate Chain" from the menu.
4. Under "Users", select the radio button "Import CA Certificate Chain into your browser".
5. Click the "Submit" button.

   IE users - choose "open" from the "File Download" pop up window.
   This should cause a "Certificate" or "Certificate Information"
   pop up window to appear -- choose "Install Certificate..."
   The Certificate Wizard should then appear.  You may be asked to
   approve various steps; examine the choices and answer

   Netscape/Mozilla users - a series of pop up windows will appear.  Examine
   the choices and answer carefully. We recommend you trust the ESnet CA  
   and the DOEGrids CA for all uses, should the browser ask about this.

   Watch carefully for "orphan" windows or hidden popups expecting a mouse click
   or text input.

6. Restart all instances of your browser.

 We recommend that you verify the CA certificates before installing them. CA fingerprints   can be found here:

http://www.doegrids.org/pages/Fingerprints.htm

Openssl will produce an MD5 fingerprint.

openssl x509 -noout -fingerprint -in <certificate file>

(Recent versions of openssl allow selection of a different hash algorithm, like SHA1.) Check the downloaded CA certificates against those in the DOEGrids tar distribution, or against the ones in your local Grid installation, or those in a Grid installation that is trusted.