Versions Compared

Old Version 63

changes.mady.by.user Kent Engström

Saved on

compared with

New Version 64

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Edit your organization object and set "Secondary Organization Name" to the name used in grid certificates (with åäö transcribed correctly to ASCII if needed, and with the same upper/lowercase conventions that you have used before with DigiCert). Please check existing certificates if you are unsureunsurem or as a last resort, ask us at SUNET TCS to help you check. As grid certificate subjects are used as "usernames" in systems, it is vital that the whole subject string is kept as it was before for your users.
  • Email tcs@sunet.se about this so that we can ask for a validation of the secondary name as you cannot perform this step yourself.

...

The instructions here are geared towards certificate-aware RAOs. You may need to expand on this when providing instructions for your end users, for example by showing them where you to import certificates in your supported web browsers, etc.

This is how you get a certificate:

  • Go to https://cert-manager.com/customer/sunet/idp/clientgeant, select your organization's IdP and login there.
  • Select the right certificate profile:
    • Use "GÉANT Personal Certificate" for normal client certificate for email signing etc outside of the grid/IGTF world.
    • Use "GÉANT IGTF-MICS Personal" for a grid/IGTF personal (client) certificate for normal use
    • Use "GÉANT IGTF-MICS-Robot Personal" for a grid/IGTD robot personal certificate (seldom used)
  • Select if you want the key generated on the server side or locally. While the former is more convenient, there may be policy reasons or technical reasons for not using that:
    • Use "Generate RSA" if you want a certificate with the key generated on the server side.
    • Use "Generate ECC" only if you are testing ECC certificates. If unsure, use RSA.
    • Use "Upload CSR" and choose the CSR file you have generated if you do not want the key generated on the server side.
  • If you choose to upload the CSR, you must first have created your key and CSR locally, using whatever software you use for that. With OpenSSL, that could be:

    openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem
cat usercert_request.pem
  • If you choose to generate the certificate on the server side, you must provide the password used to encrypt the PKCS#12 file that will be generated.
  • Click "Submit" and accept the click-through license.
  • After a short while, you will get to dowload your certificate. The format depends on your choice above:
    • With "Generate RSA/ECC", you will get a PKCS#12 file called certs.p12 containing key and certificate. You can import that in your browser using "Import Certificate" or similar.
    • With "Upload CSR", you will get a PEM-formatted certs.pem containing just the certificate. If you need it in your web browser, you need to create a PKCS#12 file yourself. With OpenSSL as above, that could be:

      openssl pkcs12 -export -inkey userkey.pem -in cert.pem -out certandkey.p12

...