What do I do with my certificate?

Now that I have a certificate, what should I do with it?

• Try out our test page to check that your certificate is properly installed in your browser. Installation should happen automatically as part of the process of getting your certificate.
• If the test fails, your certificate did not get installed properly. Look at the Troubleshooting section. You'll probably have to install it manually.
• Consult the table under "Personal Certificates" that lists common uses for KCA and DOEGrids personal certificates. The links given for each task take you to information on how to set up and use your certificate for that task.
• If you wish to use your certificate in mulitple browsers or other applications, see How to Import and Export (Backup) a Personal Certificate into and from Applications to find out how to export (save) your certificate to a file so that you can then import it into other applications.
• If you export your certificate, please read about what security measures to take to protect the sensitive files.
• If you plan to use Globus tools for submitting jobs to a grid (from Linux), convert your certificate and private key to PEM format and get a proxy certificate.

How do I sign and/or encrypt email messages?

See How to Set Your Email Client to Digitally Sign and/or Encrypt your Outgoing Messages.

What security measures do I need to take ?

I want a little background first.

The certificate file you export from your browser should be kept only on removable media. When you first export this file, copy it to a local drive that is inaccessible to the network, import it into applications as necessary, then remove it from your machine after you're done, keeping it on removable media for future use. You'll need to keep your userkey.pem file on your machine if you need to get proxy certificates.

Please follow these security guidelines with regard to your pem file, private key and related files:

• DO NOT copy it to or store it in AFS space.
• DO NOT copy it to or store it in a directory that is accessible to the network.
• DO NOT copy it to or store it in a directory that is accessible by anyone besides yourself.

Grid information (users and admins)

Globus users

You need a proxy certificate in order to submit grid jobs using Globus tools. We only provide information for Linux/UNIX. Please read the Fermilab Grid Access Control Policy.

• See Using Globus tools for submitting grid jobs from Linux/UNIX to find out how to get one using your DOEGrids certificate.
• See Get your Personal KCA Certificate and Proxy (Linux) to see how to get a Kerberos certificate and proxy.

Consult the Globus documentation and/or your VO-specific documentation to learn how to run grid jobs using your proxy certificate.

Middleware administrators

Grid middleware administrators, see Host and Service certificates and FermiGrid pages.

Troubleshooting

If the browser test fails for a personal certificate ...

• Check that your certificate is installed properly. On the import/export instruction page, find instructions for your browser and follow them to the point where you can see if your certificate appears.

The browser test succeeds, but other sites fail ...

• Check that the trust chain is in place: Install the CA certificates if not yet done (this step is not always necessary, but may be for the site you want)

Your KCA certificate doesn't prompt you to renew it ...

Your certificate has been compromised (how do you know?) ...

• Revoke it and request a new one.

I forgot my encryption password and can't reimport my exported certificate ...

• Re-export it from the initial browser, and give it a new encryption password.

Trouble with signing/encrypting email messages.