Requirements

The Certificate Authority for GPN is the DOEgrids.org CA.  In order to be approved, you must satisfy these requirements:

• Valid email address and phone number.
• US citizen (This requirement can be relaxed on a case-by-case basis.  Basically, we need to examine the specific policy for a few foreign countries)
• Have a GPN sponsor at your local university with a personal certificate.  If there is no local sponsor, you will need to attend a GPN meeting so we can associate you with someone.
• This is done so we can verify your identity.
• A personal computer from which the request can be made (it cannot be a lab machine / shared login).
• A browser which can generate certificate requests.  I know Mozilla-based and IE-based browsers can do this, but am less sure of other ones.
  

Certificate Request

• Navigate to https://pki1.doegrids.org.  The New User page should open by default (look for DOEgrids Subscriber Enrollment in big bold letters).
• Fill out the Subscriber's Identity and Contact Information sections.  Make sure you use a valid email.  The entry for "Full Name" must be your full name, properly capitalized.  If you are "Brian Bockelman", you should not enter "brian bockelman", "brian", or "bb" here.  This is not your user name.
• For Affiliation, use OSG; for VO name use GPN (or whatever else may be appropriate).
• For the Sponsor Information section, write in your GPN sponsor's name.  If you are not sure and are a student, this is probably your advisor or teacher (if taking a grid-computing class).  It doesn't hurt to ask.
• When you hit Submit, your browser will generate a private key and public certificate request.  The private one will be kept on disk, and the public certificate request will be sent to the certificate authority.
• DOEgrids will return with a request ID number.  Have your advisor send an encrypted email to Brian Bockelman, asking him to approve the certificate request.

Certificate Retrieval

• When your certificate is approved, you should get an email from DOEgrids.  The email should contain a link that looks something like this: https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x0227d.
• Open the link in the same browser that you created the request with.  Click on the "Import Your Certificate" button.
• You should now have your certificate loaded into your browser.

Converting your Certificate

• Export / Backup your certificate.  This can usually be done through the security tab of the browser preferences.  Unfortunately, no two browsers do this the same (in fact, there are differences between different versions - or even between operating systems).  Save it as usercert_browser.p12.
• Copy usercert_browser.p12 to the Linux machine you'll be using to submit jobs with.
• Create the .globus directory on the target machine with the following command:
  

  mkdir $HOME/.globus

• Run the following two OpenSSL commands:
  

  openssl pkcs12 -in usercert_browser.p12 -nocerts -out $HOME/.globus/userkey.pem
  openssl pkcs12 -in usercert_browser.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem

• Fix the permissions on your certificates:
  

  chmod go-rw $HOME/.globus/user*