Requesting a grid certificate

The SUNET Trusted Certificate Service (TCS) provides certficates to SUNET members via an externally contracted service provider. This page documents how to request a personal grid (aka eScience or IGTF) certificate using the current service provider, HARICA.

Requirements

Two requirements needs to be fulfilled in order to be able to request a personal grid certificate:

• Your organization must have set up SAML integration with HARICA (see Enable a new organization below).
• Your identity must fulfill the requirements for requesting personal certificates. Within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher (in practice, your university must have verified your identity).
  • If you are able to login to the certificate portal but not able to issue a certificate, this is usually the problem.
  • Enabling this only needs to be done once, routines vary among organizations. It involves a strong verification of your identity, for example via electronic identification such as Swedish BankID, Freja eID, etc; or visiting a helpdesk to show an identity document.

  • You can check your own SWAMID AL2 status on: https://release-check.swamid.se/. Look for:

    Attribute	Value
    eduPersonAssurance	http://www.swamid.se/policy/assurance/al2

    If you don't have this it's unlikely that you will be able to get a certificate. Not all universities support AL2 verification, look at Organization Support below).

Requesting a certificate

NOTE: If you already have a valid certificate, try to use use the same certificate on all your devices/services.

• Login at https://cm.harica.gr/ using Academic Login and your user at your IdP. Using Academic Login is necessary for this to work.

• In the menu at the left edge, select IGTF Client Auth. Do not select Client Auth (which is for non-IGTF authentication certs not included in our contract).

• Select GÉANT Personal Authentication as certificate type and confirm that again on the next page.

• Accept the terms and proceed using the Submit Request button.

• Use the Enroll your certificate button in the list showing Ready Certifcates.

• Use the preselected Generate Certificate option on the next page and make sure to select a passphrase you will remember for later. Check the "I understand..." checkbox and proceed using the Enroll Certificate button.

• Use the Download button on the Get Your Certificate page to save the PKCS#12 file containing key and certificate.

• Import the PKCS#12 file where you need it.

Power users may choose to instead use the Submit CSR manually option (having generated a key before, and combining the key and the downloaded certificate as needed afterwards).

Register the certificate in SUPR

The certificate needs to be registered in SUPR for Swestore to know that it belongs to you and map access appropriately.

Revoking a certificate

You can revoke your certificate using the Revoke alternative in the "..." menu at the right of the certificate entry in the "Valid Certificates" list.

Using the certificate

2025-05-06: This has not been tested after the switch from Sectigo to HARICA.

Using the certificate in the web browser

If you had the key generated server-side and got a Certificate.p12 file back, you are ready to import it into your web browser.

If you uploaded a CSR and got a Certificate back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

• MacOS:
  • Most applications on MacOS use Keychain instead of per-application storage. See our MacOS Keychain instructions.
• Firefox:
  • Select Preferences, type certificate in the search box, click button View Certificates, click button Import, select your certs.p12 file created above, provide the password.
  • You should find your new certificate listed in the Your Certificates table.
• Chrome:
  • Select Settings, access the search icon and type certificate, click Manage certificates (you may have to click More first to see this), click the Import button, select your certs.p12 file created above, provide the password.
  • You should find your new certificate listed on the page, after unfolding the right organization heading.
• Other browsers: Please help us out by providing instructions.

Using the certificate with grid tools

• If you had the key generated server-side and got a Certificate.p12 file back, you can follow the instructions at Prepare the certificate.
• If you uploaded a CSR and got certificate back, you can do it in one of two ways.
  • Either create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at Preparing the certificate.
  • The other more direct alternative:
    • Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
    • Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem
    • Ensure file permissions: chmod 0600 ~/.globus/userkey.pem ~/.globus/usercert.pem

Appendix

Organization Support

This section documents known organizations known to have done all the setup required to enable HARICA certificate generation for their users. The list is incomplete. Reports of "Works" or "Does not work" is highly appreciated, see our support contact information.

Works

• Linköpings universitet (verified OK 2025-05-06 by Kent and Jens at NSC)

• Chalmers Tekniska Högskola (verified OK 2025-05-06 by Thomas at C3SE)

Enable a new organization

Instructions aimed at your local organization's TCS and IdP administrators are found at the Sunet Wiki.

The test page at https://cm.harica.gr/loginsaml/test.php can be used to check what attributes are sent (which should be compared to the requirements at the GÉANT wiki page linked from the SAML Configuration part of the Sunet Wiki page).

Your local organization's TCS and IdP administrators are welcome to contact tcs@sunet.se to get help with the setup.