After you rekey the user or host certificate, you will own the brand-new certificate and private key. The previous certificate and private key will be revoked and you could not use them anymore. The following procedure will help you deal with the new certificate. Make sure your old user certificate is already imported to the browser before you access the rekeying web page.
Note: If your user certificate is overdue, that you need to request a new certificate instead of rekey. Please go to request procedure to obtain a new user certificate
To check the expireation date of the user/host certificate please refer to: Click here.
Instruction for rekey user/host certificates
Import old user certificate into the browser
Due to the security or help us verify your identity, please import your old certificate into the browser before accessing the ca website. Import your user certificate into the browser please refer to: Import user certificate.
Finish rekey procedure
Main page of the rekey procedure. There are two links in this page, one for user certificate and the other one is used for host certificate. Please refer to the guide to finish this procedure.
Replace user/host certificate
Once you get a new user/host certificate, you will need to replace the old one.
For user certificate User will receive an email from ASGCCA. Click the link to download crt(cer) file. This is your public key and it needs to be combined with the private key which has installed in the same browser used to submit the certificate request. The way to import crt(cer) file into the browser is the same as import user certificate into the browser mentioned before. It is an effective certificate after combining public key and private key. You can export and install it into the UI. Note: The exportation is also a copy that you can import it into any browser you want. User should protect it safely or we will revoke it if there is any security issue we suffer from. Note: File extension of the exportation will be pfx if exporting user certificate from IE, and file extension will be ps12 if exporting it from Firefox. To import p12(pfx) file into the UI, with the following command: $ cd ~/.globus $ openssl pkcs12 -in xxxx.p12(pfx) -clcerts -nokeys -out usercert.pem $ openssl pkcs12 -in xxxx.p12(pfx) -nocerts -out userkey.pem $ chmod 644 usercert.pem $ chmod 400 userkey.pem Note: The permission of usercert.pem is 644 and userkey.pem is 400, owner is user itself. For host certificate User will receive an email from ASGCCA with an attached zip file. It contains three files include xxxx.crt(public key), key.pem(private key) and req.pem. Please put them into the /etc/grid-security and rename them: # cd /etc/grid-security # mv xxxx.crt hostcert.pem # mv key.pem hostkey.pem # chmod 644 hostcert.pem # chmod 400 hostkey.pem Note: The permission of hostrcert.pem is 644 and hostkey.pem is 400, owner is root.
For user certificate
User will receive an email from ASGCCA. Click the link to download crt(cer) file. This is your public key and it needs to be combined with the private key which has installed in the same browser used to submit the certificate request. The way to import crt(cer) file into the browser is the same as import user certificate into the browser mentioned before. It is an effective certificate after combining public key and private key. You can export and install it into the UI. Note: The exportation is also a copy that you can import it into any browser you want. User should protect it safely or we will revoke it if there is any security issue we suffer from. Note: File extension of the exportation will be pfx if exporting user certificate from IE, and file extension will be ps12 if exporting it from Firefox. To import p12(pfx) file into the UI, with the following command: $ cd ~/.globus $ openssl pkcs12 -in xxxx.p12(pfx) -clcerts -nokeys -out usercert.pem $ openssl pkcs12 -in xxxx.p12(pfx) -nocerts -out userkey.pem $ chmod 644 usercert.pem $ chmod 400 userkey.pem Note: The permission of usercert.pem is 644 and userkey.pem is 400, owner is user itself.
For host certificate
User will receive an email from ASGCCA with an attached zip file. It contains three files include xxxx.crt(public key), key.pem(private key) and req.pem. Please put them into the /etc/grid-security and rename them: # cd /etc/grid-security # mv xxxx.crt hostcert.pem # mv key.pem hostkey.pem # chmod 644 hostcert.pem # chmod 400 hostkey.pem Note: The permission of hostrcert.pem is 644 and hostkey.pem is 400, owner is root.
Join Virtual Organization
This step is optional when a user want to join a specific VO. How to join VO please refer to: Join VO
