This is a web browser based
enrollment and key generation service.
- Close down all browser windows but one.
Better yet, completely close your browser and restart it.
and Internet Explorer(IE) requires ActiveX( atleast, enable
prompting for downloaded signed ActiveX controls). Check
browser settings for scripting if you have problems with
- Import the CA certificate into your
- Please follow the import instructions
- MDF fingerprints of the DOEGrids CA
certificates are here.
Restart your browser.
- Request your certificate.
Point your browser to https://pki1.doegrids.org
- Select Enrollment
- Fill in the New
Items to enter in the certificate
- Full name :
Your full name. (First Name, Middle initial, Last Name.)
: Your valid Email address.
- Information used while processing
: Fill in this field so that we can inform you when
your certificate has been issued.
: Please provide your correct phone number with
area code if you wish to be notified by phone in
case there is some problem with your certificate
This information is used to identify what virtual
organization you belong to. This CA supports several
SciDAC projects. You must select your virtual organization
or registration authority. eg. NERSC, PPDG &
Select 'Others' if your virtual organization is not
on the list.
- Sponsor Information
This sponsor information will
be used to direct this request to the RA for your
project, who will contact your sponsor to authenticate
your request. The list of sponsors is maintained
by the VO or its RA.
- Additional Comments
: If you are member of PPDG, please indicate which
experiment or CS group you are participating in.
Also use this field to indicate your virtual
organization name, if your virtual organization is
not in the dropdown list.
- For Netscape browsers:
- Key Length
: Choose 1024 (High Grade).
- For IE:
provider: Choose Microsoft
- When you click 'submit' the key pair
will be generated. Browsers vary in their behaviour, but
it may ask you to assign a password to the protect the
private key or the key database. Choose a quality
password that you can remember; if you forget it you
will lose access to this key pair and its certificate,
and possibly to other certificates in your browser.
- Retrieving your certificate.
When your certificate has been successfully issued, you
will receive an email that contains a link to a page containing
all your certificate information. Open that page in your
browser and click on Import Your
Certificate button at the bottom of that page.
Exporting your key pair for use by Globus grid-proxy-init.
- Export or 'backup' your certificate.
The interface for this varies from browser to browser.
Internet Explorer starts with "Tools -> Internet Options
-> Content"; Netscape Communicator has a "Security" button
on the top menu bar; Mozilla starts with "Edit ->
Preferences -> Privacy and Security -> Certificates". The
exported file will probably have the extension .p12 or .pfx.
Guard this file carefully. Store it off your computer, or
remove it once you are finished with this process.
- Copy the above PKCS#12 file to the
computer where you will run grid-proxy-init.
- Extract your certificate (which
contains the public key) and the private key:
openssl pkcs12 -in YourCert.p12 -clcerts -nokeys
- To get the encrypted private key
openssl pkcs12 -in YourCert.p12 -nocerts -out
You must set the mode on your userkey.pem file to
read/write only by the owner, otherwise grid-proxy-init
will not use it(chmod go-rw $HOME/.globus/userkey.pem).
Requesting a host or service certificate
Model Deployment for instructions on
how to create a Certificate Signing Request (CSR) for a grid
This service only supports web-based
submissions. DO NOT EMAIL CSR requests to the CA, they will be
bounced. Instead follow the Model Deployment Instructions.
- doegrids-cert-request and
grids-cert-request create the following files in $HOME
(or whatever directory you specify):
usercert_request.pem which contains the PKCS#10
request; an empty usercert.pem file; and a
userkey.pem file which contains the private key for
the certificate. Service certificates with a named service
are different. Consult Globus documentation for the
equivalent file names and locations.
Model Deployment Item #6. Point your browser to https://pki1.doegrids.org
and choose the menu choice Grid or SSL Server under
the Server category.
- Cut and paste the certificate request
- Starting with the line
REQUEST----- up to and including the line
CERTIFICATE REQUEST----- Fill in your name, email
and phone number, and select the appropriate affiliation.
We suggest you also fill in challenge password( select a
good password that you can remember).
- Submit the form.
- When the certificate has been approved,
cut and past the "Base64 encoded certificate" into the