DOEGrids Certificate Service

How to Request Certificates
Policy Management Authority
Certificate Service
Certificate Lookup
Research and Development
CA Certificates
Certificate Request Workflow
EDG Testbed 1 requirements
Frequently Asked Questions
Send Info Request












































How to request certificates from the



last update: 04/06/2005

Personal certificate


         This is a web browser based enrollment and key generation service.

  • Close down all browser windows but one. Better yet, completely close your browser and restart it.
  • Netscape requires JavaScript, and Internet Explorer(IE) requires ActiveX( atleast, enable prompting for downloaded signed ActiveX controls). Check browser settings for scripting if you have problems with your request.
  • Import the CA certificate into your browser
    • Please follow the import instructions here.
    • MDF fingerprints of the DOEGrids CA certificates are here.
    • Restart your browser.
  • Request your certificate.
    Point your browser to
    • Select Enrollment tab.
    • Fill in the New User Form.
    • Items to enter in the certificate
      • Full name : Your full name. (First Name, Middle initial, Last Name.)
      • Email : Your valid Email address.
      • Information used while processing your request
        • Email : Fill in this field so that we can inform you when your certificate has been issued.
        • Phone : Please provide your correct phone number with area code if you wish to be notified by phone in case there is some problem with your certificate request.
        • Affiliation (Virtual Organization) This information is used to identify what virtual organization you belong to. This CA supports several SciDAC projects. You must select your virtual organization or registration authority. eg. NERSC, PPDG & Select 'Others' if your virtual organization is not on the list.
        • Sponsor Information This sponsor information will be used to direct this request to the RA for your project, who will contact your sponsor to authenticate your request. The list of sponsors is maintained by the VO or its RA.
        • Additional Comments : If you are member of PPDG, please indicate which experiment or CS group you are participating in. Also use this field to indicate your virtual organization name, if your virtual organization is not in the dropdown list.
        • For Netscape browsers:
          • Key Length : Choose 1024 (High Grade).
        • For IE:
          • Cryptographic provider: Choose Microsoft Enhanced
      • When you click 'submit' the key pair will be generated. Browsers vary in their behaviour, but it may ask you to assign a password to the protect the private key or the key database. Choose a quality password that you can remember; if you forget it you will lose access to this key pair and its certificate, and possibly to other certificates in your browser.
    • Retrieving your certificate.
      When your certificate has been successfully issued, you will receive an email that contains a link to a page containing all your certificate information. Open that page in your browser and click on Import Your Certificate button at the bottom of that page.

Exporting your key pair for use by Globus grid-proxy-init.

    • Export or 'backup' your certificate. The interface for this varies from browser to browser. Internet Explorer starts with "Tools -> Internet Options -> Content"; Netscape Communicator has a "Security" button on the top menu bar; Mozilla starts with "Edit -> Preferences -> Privacy and Security -> Certificates". The exported file will probably have the extension .p12 or .pfx.
    • Guard this file carefully. Store it off your computer, or remove it once you are finished with this process.
    • Copy the above PKCS#12 file to the computer where you will run grid-proxy-init.
    • Extract your certificate (which contains the public key) and the private key:
      • Certificate:
        openssl pkcs12 -in YourCert.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
      • To get the encrypted private key :
        openssl pkcs12 -in YourCert.p12 -nocerts -out $HOME/.globus/userkey.pem
        You must set the mode on your userkey.pem file to read/write only by the owner, otherwise grid-proxy-init will not use it(chmod go-rw $HOME/.globus/userkey.pem).

Requesting a host or service certificate

See the Model Deployment for instructions on how to create a Certificate Signing Request (CSR) for a grid service.

This service only supports web-based submissions. DO NOT EMAIL CSR requests to the CA, they will be bounced. Instead follow the Model Deployment Instructions.

    • doegrids-cert-request and grids-cert-request create the following files in $HOME (or whatever directory you specify): usercert_request.pem which contains the PKCS#10 request; an empty usercert.pem file; and a userkey.pem file which contains the private key for the certificate. Service certificates with a named service are different. Consult Globus documentation for the equivalent file names and locations.


    • See Model Deployment Item #6. Point your browser to and choose the menu choice Grid or SSL Server under the Server category.


    • Cut and paste the certificate request - Starting with the line -----BEGIN CERTIFICATE REQUEST----- up to and including the line -----END CERTIFICATE REQUEST----- Fill in your name, email and phone number, and select the appropriate affiliation. We suggest you also fill in challenge password( select a good password that you can remember).


    • Submit the form.


    • When the certificate has been approved, cut and past the "Base64 encoded certificate" into the file usercert.pem.


DOE MICS ESnet DOEGrids Web Site