Skip to content

Requesting a grid certificate

The SUNET Trusted Certificate Service (TCS) provides certficates to SUNET members via an externally contracted service provider. This page documents how to request a personal grid (aka eScience or IGTF) certificate using the current service provider, Sectigo.

Requirements

Two requirements needs to be fulfilled in order to be able to request a personal grid certificate:

  • Your organization must have the required Single Sign On authentication set up to allow login to the certificate portal (see Organization Support below).
  • Your identity must fulfill the requirements for requesting personal certificates. Within Sweden the requirement is SWAMID Assurance Level 2 Profile (SWAMID AL2), or higher (in practice, your university must have verified your identity).
    • If you are able to login to the certificate portal but not able to issue a certificate, this is usually the problem.
    • Enabling this only needs to be done once, routines vary among organizations. It involves a strong verification of your identity, for example via electronic identification such as Swedish BankID, Freja eID, etc; or visiting a helpdesk to show an identity document.

    • You can check your own SWAMID AL2 status on: https://release-check.swamid.se/. Look for:

      Attribute Value
      eduPersonAssurance http://www.swamid.se/policy/assurance/al2

      If you don't have this it's unlikely that you will be able to get a certificate. Not all universities support AL2 verification, look at Organization Support below).

Requesting a certificate

NOTE: If you already have a valid certificate, try to use use the same certificate on all your devices/services. If you request multiple certificates the oldest might silently get revoked due to a maximum issued limit. See Hitting the maximum number of valid certs.

You request a certificate at https://cert-manager.com/customer/sunet/idp/clientgeant where you will be required to login with your local credentials at your organization.

If you login and you organization is set up correctly, you will get to a page with the heading Digital Certificate Enrollment.

A common error for first-time users is your identity not fullfilling the requirements for requesting personal certificates, see Requirements above.

To proceed, you will need to choose if the key for your certificate should be generated by you on your computer, or at the server side. The different methods are described in the two following sections.

Requesting a certificate with server-side generation of key

Use this method:

  • If you can accept that the key is generated on the server side.
  • If you want to avoid having to do local openssl commands or similar to get a certificate for your web browser.

To use this method, login to https://cert-manager.com/customer/sunet/idp/clientgeant and

  • Select Certificate Profile = GÉANT Personal Authentication (very important).
  • Select Term 395 days (should be the only option).
  • Select Enrollment Method = Key Generation.
  • Select Key Type with appropriate key length. "RSA-2048" is usually good enough. At this time, we do not recommend using "RSA-8192" as some servers do not accept that size.
  • Provide a password that will be used to encrypt the PKCS#12 file you get back.
  • If you will import to Keychain on a Mac, select key protection algorithm "Compatible TripleDES-SHA1" as the default choice "Secure AES256-SHA256" does not work (as of 2023-06-12).
  • Check the "I have read and agree to the terms of the EULA" checkbox.
  • Click the SUBMIT button and accept the click-through license.

After a short pause, you will be offered to download your certificate and key in a PKCS#12 file called certs.p12.

Requesting a certificate using a locally generated key and CSR

Use this method:

  • If there is a policy reason for you to refuse to have the key generated on the server side.
  • If there is a technical reason that needs the key to be generated locally.

To use this method, first generate a key and a CSR (certificate signing request) on your computer. If you are not required to use another program, use OpenSSL:

openssl req -new -newkey rsa:4096 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem

Then, after logging in to https://cert-manager.com/customer/sunet/idp/clientgeant

  • Select Certificate Profile = GÉANT Personal Authentication (very important).
  • Select Term 395 days (should be the only option).
  • Select Enrollment Method = CSR.
  • Use Choose File to upload the usercert_request.pem file you created above or paste it into the box below.
  • Check the I have read and agree to the terms of the EULA checkbox.
  • Click the SUBMIT button and accept the click-through license.

After a short pause, you will be offered to download your certificate in a PEM-format file called certs.pem.

Robot certificates

Robot certificates are intended for use with software agents and automatic data management processes running under your control. They are in all other respects identical to the Personal ones.

Apply for a robot certificate using the procedure described above with the following addition:

  • Select Certificate Profile GÉANT Personal Automated Authentication

Currently robot certificates needs to be registered in SUPR in the same way as personal certificates (and instead of the personal certificate). Swestore is investigating other methods of registering Robot certificates for use with automatic services.

Maximum number of valid certificates

At any given moment you can have two certificates from each Certificate Profile type (such as GÉANT Personal Authentication - RSA). Requesting a third one will automatically revoke oldest certificate of the same type to keep the window to two certificates (the most recent ones) per profile.

Register the certificate in SUPR

The certificate needs to be registered in SUPR for Swestore to know that it belongs to you and map access appropriately.

Revoking a certificate

Currently, you cannot revoke your certificate from the portal. If you need you certificate revoked, please talk to your local certificate administrators at your organization. If you cannot reach them and it is urgent, contact tcs@sunet.se and provide the details of the certificate you want revoked.

Using the certificate

Using the certificate in the web browser

If you had the key generated server-side and got a certs.p12 file back, you are ready to import it into your web browser.

If you uploaded a CSR and got cert.pem back, you first need to create a PKCS#12 file yourself by doing:

openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

To import the certs.p12 file into your web browser:

  • MacOS:
    • Most applications on MacOS use Keychain instead of per-application storage. See our MacOS Keychain instructions.
  • Firefox:
    • Select Preferences, type certificate in the search box, click button View Certificates, click button Import, select your certs.p12 file created above, provide the password.
    • You should find your new certificate listed in the Your Certificates table.
  • Chrome:
    • Select Settings, access the search icon and type certificate, click Manage certificates (you may have to click More first to see this), click the Import button, select your certs.p12 file created above, provide the password.
    • You should find your new certificate listed on the page, after unfolding the right organization heading.
  • Other browsers: Please help us out by providing instructions.

Using the certificate with grid tools

  • If you had the key generated server-side and got a certs.p12 file back, you can follow the instructions at Prepare the certificate.
  • If you uploaded a CSR and got certs.pem back, you can do it in one of two ways.
    • Either create a PKCS#12 file yourself using the OpenSSL command in the web browser section above, and then proceed with the instructions at Preparing the certificate.
    • The other more direct alternative:
      • Put the userkey.pem file you generated in your ~/.globus directory as ~/.globus/userkey.pem
      • Put the certs.pem file you downloaded in your ~/.globus directory as ~/.globus/usercert.pem
      • Ensure file permissions: chmod 0600 ~/.globus/userkey.pem ~/.globus/usercert.pem

Appendix

Organization Support

This section documents known organizations known to have done all the setup required to enable Sectigo certificate generation for their users. The list is incomplete. Reports of "Works" or "Does not work" is highly appreciated, see our support contact information.

Failed verification

  • Sveriges lantbruksuniversitet (does not handle AL2 2020-12-18 by Jens L at NSC)

    Please use the Nordugrid instructions.

  • Karolinska Institutet

    Does not handle personal certificates. Please see https://staff.ki.se/certificates

Enable a new organization

Instructions aimed at your local organization's TCS and IdP administrators are found at the SUNET Wiki and they are welcome to contact tcs@sunet.se to get help with the setup.