Subsections

C. Changing Certificate Formats

C.1 P12 Format to PEM Format

Many of the certificate authorities deliver certificates through a web browser. To use these certificates with Globus, they must be exported from the browser and then reformatted for Globus. Exporting is browser-specific so you will need to follow the help provided with your browser. Once you have extracted the certificate you should have a file with a p12 extension. This file is in the PKCS12 format; you will need to change this to PEM format. If the edg-utils package is installed on your machine, simply executing /opt/edg/bin/pkcs12-extract will create appropriate certificate and key files and place them in the standard location. This is a convenience method for the following:

openssl pkcs12 -nocerts \
        -in cert.p12 \
        -out ~user/.globus/userkey.pem
openssl pkcs12 -clcerts -nokeys 
        -in cert.p12 
        -out ~user/.globus/usercert.pem
The first command gives you your private key; this file must be readable only by you (e.g. unix permission 0600). The second command gives your public certificate (e.g. unix permission 0644). The ~ user should be replaced by the path to your home area. The .globus subdirectory is standard place to put your certificates.

C.2 PEM Format to P12 Format

Popular browsers typically use certificates in PKCS12 format. Consequently you will need to modify the format of the PEM certificates used for Globus to use them within a browser. To change a certificate from PEM format into PKCS12 format (on a machine with edg-utils installed), just issue the command /opt/edg/bin/grid-mk-pkcs12. Again, this is a convenience method for the following:

 
openssl pkcs12 -export \
               -out file_name.p12 \
               -name "My certificate" \
               -inkey ~user/.globus/userkey.pem \
               -in ~user/.globus/usercert.pem
where file_name.p12 is the name of the PKCS12 certificate, and the ~ user in the last two lines should be replaced by the path to your home area. You must then import the certificate into your browser. (See Section 2.2.2.)
http://marianne.in2p3.fr