Skip to content

Requesting a grid certificate from the NorduGrid CA

The first step in acquiring a certificate from the NorduGrid CA is to create a certificate request.

Creating a certificate request

Certificate requests can be created using any compatible tool.

Creating a certificate request using openssl

You can use openssl to create a certificate request and a private key. Openssl will ask for a password to protect the private key. Note, if the password or private key is lost, a new certificate must be obtained. The process is shown below:

$ mkdir -p ~/.globus`
$ openssl req -new -newkey rsa:2048 \`
  -out ~/.globus/usercert_request.pem \`
  -keyout ~/.globus/userkey.pem \`
  -subj "/O=Grid/O=NorduGrid/ Kula/"`
Generating a 2048 bit RSA private key`
writing new private key to '~/.globus/userkey.pem'`
Enter PEM pass phrase:`
Verifying - Enter PEM pass phrase:`

Modify OU, CN and emailAddress as necessary. It is probably important that your OU and the domain in the email address are the same.

Sending the certificate request to the NorduGrid CA

When the certificate request is created there will be 2 files, userkey.pem and usercert_request.pem, in a subdirectory called .globus in your home directory. The userkey.pem is your private key and should not be world readable. This can be achieved by using chmod 400 ~/.globus/userkey.pem.

The contents of the usercert_request.pem should be sent by mail to you neareast Registration Authority (RA). The RA will verify your request and verify your identity. This can involve meeting with the RA and proving your identity with a passport or equivalent documents. The current list of RA:s can be found at the following page:

Installing the certificate in your home directory

When certificate request is signed by the CA you will receive a mail with the certificate.

The important parts of the mail are shown below::


Copy the part shown above into the file usercert.pem in the .globus directory in your home directory.

Installing the certificate in your browser

To use the requested certificate in your browser it has to be converted to pkcs12 format. This can be done using the following commands (on a linux/unix based system):

$ cd ~/.globus
$ openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out DELETE_ME.p12

First openssl ask for your passphrase for your private key.

Enter pass phrase for userkey.pem:

As the pkcs12 file will consist of both your public and private key, the generated file is protected by an additional passphrase which openssl asks for:

Enter Export Password:
Verifying - Enter Export Password:

The generated file, DELETE_ME.p12, can then be imported into your web browser.

To import the certificate in Firefox, open the "Advanced" tab in the Preferences dialog, and select the "Encryption" tab. Click the "Certificates" button and then the "Import..." button. Select your generated DELETE_ME.p12 file, and Firefox will then ask you for the export passphrase to entered in the openssl command. In Chrome, the procedure is pretty much the same, except you have to go to "Settings" and click "Under the Hood" in the sidebar and then the "Manage certificates..." button to find the "Import..." button.

On Mac OSX most browsers (except Firefox) use the keychain to store certificates, and you can import DELETE_ME.p12 to the keychain by double clicking it in the finder.

Do not forget to delete DELETE_ME.p12 when you are done.

Renewing a NorduGrid user certificate

Renewing a certificate is needed when and old certificate is about to expire.

Go into your .globus directory. There you can make a new directory and jump into it to create your new certificates, while still be able to to use the old ones as long as they are valid.

mkdir new`date +%y%m%d`
cd new`date +%y%m%d`
openssl req -newkey rsa:2048 -keyout newuserkey.pem -subj "/O=Grid/O=NorduGrid/ Lastname/" -new -out usercert_request.pem
chmod 400 newuserkey.pem

Note: Firstname Lastname do not need to be uppercase. If you change case/spelling/email-address in your certificate when renewing a certificate, then RT-systems, web-servers, wiki et cetera will likely not recognize you, as it is often done through plain character string matching! So check what your had in your old cert in beforehand.

Update: For user certificates it is no longer necessary to create a signaturefile, but this is how you would have done it:

openssl dgst -binary -sign ../userkey.pem < usercert_request.pem > req.sig

Mailing your renewal request

You will have to send an email with the *_request.pem file inline and the eventual sigfile attached. For human readability and faster responsetime it can be recommended to also paste the output of

openssl req -in usercert_request.pem -noout -text

into the body of the email. Another appreciated information is the time when your current certificate will expire. The recipient of your email is generally your RA (the one you used when asking for your previous cert, see above) who will control, sign and forward it for you to

If you are able to sign the mail (signing doesn't mean attaching!!!) with the still valid old certificate in PKCS12 format you can send it directly to the CA at In that case you don't need to give the information of when your current certificate will expire since it is obvious. It is still recommended though that you CC your RA who can then inform you of any expected delays and could point out if your signature doesn't look valid.

Signing email with your certificate

First you will need your grid certificate in PKCS12 format, since that's the format understood by email programs.

Transform your certificate from PEM into PKCS#12 format

First, change directory into where you created and keep the certificate, historically this is often the .globus in your home directory:

cd ~/.globus

Then proceed with creating a PKCS=12 .p12 file:

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert+key.p12

First you will have to enter the password you used for your private key, then you will be asked for a new password to protect the new file. cert+key.p12 contains your private key, and is therefore as valuable as userkey.pem. Security wise the safest way is to delete the PKCS12 file after having imported it into your mail client or browser. Don't forget this.


Mozilla Thunderbird is a graphical email program available for many platforms. More information at

In Thunderbird, Navigate Options->Security->Digitally sign this message.

If you do this for the first time and haven't defined yet the certificate to sign with, Thunderbird will pop up the according preferences Account settings/Security, where you can choose between your imported certificates in PKCS#12 format.

In the beginning, of course, you haven't imported any: Click there on the same preferences tab that popped up on View Certificates. In the new window that opens you can import the certificate.

Afterwards you can then choose this certificate to be used for signing and for encryption for this email account.

Don't forget to actually check that you then really sign the corresponding mail.


Mew is a mail reader for Emacs. More information at

Mew uses gpgsm.

1. Import the nordugrid root cert

1.1. get 1f0e8352.0 from nordugrid web

1.2. gpgsm --import 1f0e8352.0

1.2. Make it trusted:
     gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' | grep THE-FINGERPRINT-YOU-WANT >> .gnupg/trustlist.txt

2. Add your own key from the cert+key.p12 file in this case

2.1 openssl pkcs12 -in cert+key.p12 -out tmp.pem -nokeys

2.2. gpgsm --import tmp.pem ; rm tmp.pem

2.3. Tell gpgsm not to use revocation lists (bad bad security)
     echo disable-crl-checks >> .gnupg/gpgsm.conf

3. Test
   gpgsm --detach-sign file > sign  # should ask for passphrase and give some kind of sign file

4. Use:
   C-uC-cC-s  then enter your email address (must match email in cert) and passphrase
Back to top