In order to setup your GRID Certificate, you need to have already completed the initial steps of requesting the certificate, registering for membership in the ATLAS VO, etc. See this BNL page for detailed instructions.

Note: You should use a browser with appropriate security, such as IE7 or Firefox v2.

The sections below are out-of-date.

Instead use the BNL pages at

After Obtaining Confirmation

The DOE will send you an e-mail with your GRID Certificate's serial number. DO NOT enter the script commands, as you have most likely requested the certificate via a web browser. The next step is to import the certificate into the browser.

Note: You must use the same browser to import & export your certificate that you used to request the certificate.

There is information on importing and exporting your certificate from your browser at but see if the instructions below work for you.

Importing Your Certificate

After receiving the e-mail with your certificate's serial number, follow these steps to import your certificate into your browser:
  1. Point your browser to the DOEgrid Subscriber Enrollment Site
  2. Navigate to the Retrieval tab at the top.
  3. Click List Certificates.
  4. Enter your serial number (from the e-mail) in the 'Lowest serial number' field.
  5. Click 'Find.'
  6. Locate your certificate's entry.
    • Note: If you applied with other users, your name might be farther down the list...
  7. Click 'Details.'
  8. Scroll to the bottom of the page, and click 'Import Your Certificate.'
Now, your browser has your DOE GRID Certificate saved. From this point, you can export your certificate in order to generate your userkey.pem and usercert.pem files in order to make you eligible for GRID tasks.

Exporting Your Certificate

In order to perform GRID tasks, you need to export your certificate from the browser. To do so, follow the instructions for your respective browser:
  1. Select your certificate:
    • In Firefox v2 (Linux): Click Edit -> Preferences, click Advanced, click the Encryption tab, and then click View Certificates.
    • In Firefox v2 (Windows): Click Tools -> Options, click Advanced, click Encryption, and then click View Certificates.
    • In Firefox v1.5 (Linux): Click Edit -> Preferences, click Advanced, click the Security tab, and then click View Certificates.
    • In Firefox v1.5 (Windows): Click Tools -> Options, click Advanced, click Security, and then click View Certificates.
    • In Internet Explorer v7, click Tools -> Internet Options, click the Content tab, and under Certificates, click the Certificates button.
    • In Internet Explorer v6, click Tools -> Internet Options, click the Content tab, and under Certificates, click the Personal.
  2. Select your DOE certificate, click Backup (or Export), and store this file in a safe location on your computer, or in your home directory on any of the machines.
Now, with your *.pfx file (hereafter referred to as gridcert.pfx), you can convert your certificate to the relevant usercert.pem and userkey.pem files.

See Also: Installing Your Grid Certificate

Converting Your Certificate

This is the crucial part. Here, you're going to put your exported certificate on the server, convert them, and configure your directory structure so that you can perform your GRID tasks.

  1. If you have not already done so, using SFTP or some other file-transfer protocol, move your gridcert.pfx file to your home directory on umt3int02, or any machines on the cluster.
  2. Setup the relevant directories:
    $ cd
    $ mkdir .globus
    $ mkdir -p .private/.globus
  3. Convert gridcert.pfx to the relevant files using the openssl command:
    $ openssl pkcs12 -in [your-cert-file] -clcerts -nokeys -out .globus/usercert.pem
    $ openssl pkcs12 -in [your-cert-file] -nocerts -out .private/.globus/userkey.pem
    1. This second command may prompt you for the password you created while exporting your certificate. Then, it will prompt you to create a password for your userkey.pem file, which you HOLD DEAR, for you will use this every time you access the GRID.
    2. VERY IMPORTANT: Never tell anyone your password, and make sure that your userkey.pem file is only readable by YOU, i.e., execute the following in your home directory:
      $ chmod 400 .private/.globus/userkey.pem
  4. Next, you must set the appropriate access rights for these hidden directories. Only you should have any rights on your private directory, so execute the following command: (note, see here for alternate directions on setting up this afs .private directory protection)
    $ fs listacl .private
    1. The output should look something like this:
      Normal rights:
      system:administrators rlidwka
      system:anyuser rl
      [your-username] rlidwka
    2. If there any rights given to other users (besides your username), such as system:administrators or system:anyuser, you must remove these rights. Execute these commands:
      $ fs setacl .private system\:administrators ""
      $ fs setacl .private system\:anyuser ""
    3. If a fs listacl .globus command reveals that system:anyuser has more access than the simple "rl," do this:
      $ fs setacl .globus system:\anyuser rl
  5. Now, make a softlink from your .globus directory to your .private/.globus/userkey.pem file:
    $ cd .globus
    $ ln -s ~/.private/.globus/userkey.pem userkey.pem
At this point, you are ready to use your GRID certificate for GRID tasks. See Bob's DQ2 Setup Instructions for information about using DQ2.

Taken in whole from directions set up by Devin Harper, 23 July, 2007, on the Higgs Twiki of linat05.

-- BobBall - 15 Jan 2009
Topic revision: r8 - 24 Jul 2015, ShawnMcKee
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback