Science IT Support

eScience Certificate Signing Request

In order to get a user or host certificate signed, please follow the instructions below.

Within four working days you will receive an email with your signed certificate.

The certificates are signed by signed by an IGTF-accredited Certificate Authority SEE-GRID.

Please contact certificates@lhep.unibe.ch if needed.

Common Requests

Identification

If you need a new User certificate and cannot provide a valid existing certificate, we will need to formally identify you as part of the request.

As such, you will need to attach a photo ID to your request, which will be stored in our records.

If authority operators don't know you and need additional confirmation of your identity or affiliation, we may need to contact you or your colleagues for extra verification.

Generating new key & CSR

To create a new key and signing request, issue the following commands on the machine you submit your grid jobs, with appropriate substitutions (remove curly brackets):

openssl req -newkey rsa:2048 -subj "/DC=EU/DC=EGI/C=CH/O=People/O={Full name of your institution}/CN={Firstname Lastname as in provided ID}" -keyout userkey.pem -out user_cert_request.csr

Valid institution names:

  • O=Ecole polytechnique federale de Lausanne (EPFL)
  • O=ETH Zuerich
  • O=Eidg. Forschungsanstalt fuer Wald, Schnee und Landschaft (WSL)
  • O=Eidgenoessische Materialpruefungs- und Forschungsanstalt (EMPA)
  • O=EAWAG (Eidg. Anstalt fuer Wasserv., Abwasserr. u. Gewaessersch.)
  • O=Fachhochschule Nordwestschweiz
  • O=FHS St. Gallen Hochschule fuer Angewandte Wissenschaften
  • O=Haute Ecole Specialisee de Suisse occidentale (HES-SO)
  • O=Hochschule Luzern
  • O=Paul-Scherrer-Institut (PSI)
  • O=Universita della Svizzera Italiana
  • O=Universitaet Basel
  • O=University of Bern
  • O=Universite de Geneve
  • O=Universite de Lausanne
  • O=Universite de Neuchatel
  • O=University of Zurich

This command creates two files:

  • userkey.pem    This is your private key - keep it safe.
  • user_cert_request.csr    This is the certificate signature request - you'll need to email this file.

With the following command you may inspect your request:

openssl req -in user_cert_request.pem -noout -text -nameopt sep_multiline

Submitting your request

Email your request by clicking here. Follow the instructions in the email template. You will need to provide your photo ID together with the .csr file.

Identification

If you have a valid User certificate and want to request a new one, you can do so without providing a photo ID. You will need to sign the request email with the certificate to prove your identity.

Please note: you cannot request a new certificate without changing your old key. CA rules require you to generate a fresh key for a new certificate.

Generating new key & CSR

To create a new key and signing request, issue the following commands on the machine you submit your grid jobs, with appropriate substitutions (remove curly brackets):

openssl req -newkey rsa:2048 -subj "/DC=EU/DC=EGI/C=CH/O=People/O={Full name of your institution}/CN={Firstname Lastname as in provided ID}" -keyout userkey.pem -out user_cert_request.csr

Valid institution names:

  • O=Ecole polytechnique federale de Lausanne (EPFL)
  • O=ETH Zuerich
  • O=Eidg. Forschungsanstalt fuer Wald, Schnee und Landschaft (WSL)
  • O=Eidgenoessische Materialpruefungs- und Forschungsanstalt (EMPA)
  • O=EAWAG (Eidg. Anstalt fuer Wasserv., Abwasserr. u. Gewaessersch.)
  • O=Fachhochschule Nordwestschweiz
  • O=FHS St. Gallen Hochschule fuer Angewandte Wissenschaften
  • O=Haute Ecole Specialisee de Suisse occidentale (HES-SO)
  • O=Hochschule Luzern
  • O=Paul-Scherrer-Institut (PSI)
  • O=Universita della Svizzera Italiana
  • O=Universitaet Basel
  • O=University of Bern
  • O=Universite de Geneve
  • O=Universite de Lausanne
  • O=Universite de Neuchatel
  • O=University of Zurich

This command creates two files:

  • userkey.pem    This is your private key - keep it safe.
  • user_cert_request.csr    This is the certificate signature request - you'll need to email this file.

With the following command you may inspect your request to check its validity:

openssl req -in user_cert_request.csr -noout -text -nameopt sep_multiline

Submitting your request

Email your request by clicking here. Follow the instructions in the email template. You will need to include the .csr file and sign the email with your current User certificate.

Identification

This step requires that you already have a user certificate and that you know why you need a host certificate.

Generating new key & CSR

Generate your host certificate by editing the FQDN and optionally the ALTNAMES lines in this configuration file and then issuing the following commands on the host:

(umask 0377; openssl req -new -config myserver.cnf -keyout privkey.pem -out hostname_sign_request.csr)

Parentheses are important: otherwise, umask will affect default permissions for the rest of the shell session.

This command creates two files:

  • privkey.pem    This is the host private key - keep it safe.
  • hostname_sign_request.csr    This is the certificate signature request - you'll need to email this file.

It is recommended to rename hostname_sign_request.csr to match the hostname of the requested certificate.

With the following command you may inspect your request:

openssl req -in hostname_sign_request.pem -noout -subject 

Submitting your request

Email the file hostname_sign_request.csr by clicking here. You will need to sign your request email by a valid user certificate.

Note that you can bundle multiple certificate requests in one email.

You will need to be able to sign your emails with your User certificate:

  • To accept the certificate from CA
  • To request new certificates without ID validation

Assuming userkey.pem is your private key and usercert.pem is the certificate you received from CA, run this command:

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out egi.p12

This will create a bundle egi.p12 which can be imported into your mail client or OS keychain (or, in some cases, uploaded to your mail server) to sign messages using S/MIME.

You may need to install SEE-GRID CA trust root first.

Additional Information

CA root certificate

The CA root certificate is available here, with fingerprint published at SEE-GRID CA webpage.

Certificate Revocation

Send an email by clicking here. The email must be signed with your EGI User certificate.

With this command you may obtain the required subject of your certificate:

openssl req -in cert_sign_request.pem -noout -text -nameopt sep_multiline