When you retrieved your signed personal certificate from the DOEGrids CA website it was placed into a database of certificates your browser keeps. The associated private key was also put into the database at the time you requested your certificate.

In order to use your certificate with Globus and grid-proxy-init you must export your certificate and private key from your browser and convert them to the necessary forms required by the Globus GSI tools. To do so follow these instructions:

Note: These instructions assume you are using version 4.7x of Netscape for a Unix/Linux platform. For other versions of Netscape or for other platforms please use these instructions as a general guide.

1. From the menu choose Communicator -> Tools -> Security Info.
   
   
2. Under the Certificates heading on the left click Yours to view your certificate(s).
   
   
3. Select your DOEGrids certificate from the list of certificates and click the Export button.
   
   
4. Netscape will prompt you for the pass phrase protecting the database of certificates and keys. Enter the pass phrase you have been using.
   
   
5. Netscape will prompt you for a new pass phrase that will be used to encrypt and protect the exported file containing both your certificate and key. Enter your choice of pass phrase. Enter it again when prompted to verify the pass phrase.
   
   
6. Netscape will prompt you to choose a filename and location for the exported file containing both your certificate and private key and encrypted using the pass phrase you chose. Enter a filename and path. It is customary for the file to have a .p12 extension.

   Your have now exported your DOEGrids certificate and private key from your browser into a single file. The next step is to extract your certificate and private key to seperate files and convert them to the form needed to use with grid-proxy-init.

7. Make sure that the GLOBUS_LOCATION environment variable is defined properly.
   
   
8. To extract and convert your certificate to the appropriate form enter

    $GLOBUS_LOCATION/bin/openssl pkcs12 -in YourCert.p12 -clcerts -nokeys -out /.globus/usercert.pem

   where YourCert.p12 is the file you saved your exported certificate and key to in step 6. When prompted enter the pass phrase that you used to encrypt your certificate and key when exporting it from Netscape.

9. To extract and convert your private key to the appropriate form run enter

    /bin/openssl pkcs12 -in YourCert.p12 -nocerts -out /.globus/userkey.pem

   You will first be prompted for the pass phrase that you used to encrypt your certificate and key when exporting it from Netscape.

   Next you will also be prompted for a new pass phrase to use to encrypt your private key that you are extracting and saving. This will be the pass phrase that you must enter whenever you run grid-proxy-init. When prompted enter the pass phrase again for verification.

10. Globus GSI tools such as grid-proxy-init require that the file containing your private key have the correct UNIX permissions set. To set the permissions correctly enter

     chmod 400 /.globus/userkey.pem