x509 personal certificates for researchers and employees at UiO

Researchers and others employed at the University of Oslo in some cases participate in international projects using personal x509 certificates for authenticating users and giving access to web-sites or services in connection to the projects. This page gives a short explanation of what x509 certificates are and how you can obtain one if needed. Please note that the procedure to create certificate requests and keys is described in the Norwegian ssl-cookbook.

If you instead are in need of a host certificate and not a private x509 certificate, please order one from here: https://nettskjema.no/a/74868 and follow the procedures in the ssl-cookbook to create the certificate request and key needed for the form.

Sectigo

Order your user certificate at Sectigo. 

Read more about how-to below.

What is an x509 certificate

A certificate is a document that certifies you as a entity within an institution. The certification occurs via a chain of trust mechanism, i.e if the authority that issues the certificate is trustworthy then your certificate is valid). Certificate can be used for signing documents, encrypting and getting  authorization (i.e. to browse or use web content and services). UiO's certificates are signed by TERENA authority and follow the x509 standard.

Policy and terms of use

The certificates are considered passwords and must be treated in an accordingly secure way. They must never be shared with others or be stored in such a way that they are made accessible for others.

By using this service you accept to comply with all terms of use of the specific grid/eScience service, including the terms of use for the UiO IT-resources, and in particular the UIO IT-regulations and rules specified in the UiO IT-security handbook.

If your certificate and the associated password in one way or another are made known to any other party, you are obligated to inform UiO IT promptly (it-support@uio.no).

If it is made known to us that your use of this service or UiO IT resources are not in compliance with the terms of use or Norwegian law, we will revoke the rights given to you with immediate effect.

Every person with a legally binding relationship with the University of Oslo may obtain a certificate. Certificates are issued for one year, unless the duration of the binding relationship with the UiO is shorter. In the latter case the certificate validity will be adjusted accordingly. After one year the certificate can be renewed provided that you are still qualifying.

Getting an x509 certificate

Orders are placed via Sectigo - follow the link to get your certificate.

Requirements to apply for a certificate

In order to be able to apply for a certificate through Sectigo you must belong to a specific unix group (usit-fi-x509-personal-users or usit-fi-x509-users). You can check what groups you are member of from the "Brukerinfo" page: https://brukerinfo.uio.no/groups/memberships/

If you are not member for the usit-fi-x509-personal-users or usit-fi-x509-users groups, please send a request to hpc-drift@usit.uio.no or contact Maiken Pedersen (email/mattermost) directly.

What certificate to get

University of Oslo (UiO) can grant certificates of two types: IGTF compliant grid/eScience and regular. The difference between the two is that grid/eScience can be used for authenticating with scientific computing services. You should ask for grid/eScience (G?ANT IGFT-MICS Personal ) one if you are involved in scientific computing, if not the regular personal certificate will fullfill your needs.

 

Steps to request a certificate from Sectigo web page

  1. At the Sectigo entry page, please select the "Feide" Institution to log in.

Image may contain: Rectangle, Font, Parallel, Screenshot, Multimedia.

2. Fill in the Digital Certificate Enrollment according to needs

Image may contain: Rectangle, Font, Screenshot, Software, Parallel.

You can chose a regular SSL certificate (G?ANT Personal Certificate) a grid/eScience certificate (G?ANT IGTF-MICS Personal) or a Robot Certificate. Set a password if RSA or ECC private key is generated, or upload your CSR. (How to create a CSR - check the ssl cookbook (in Norwegian).

The certificate will be ready at once and be downloaded to your computer (in your Downloads folder). To import it into your browser - follow your browsers procedure to import a certificate.

Note: if you get the certificate using a csr - Sectigo will give you a pem file containing a certificate chain, while if you let Sectigo generate a password for you, it will give you a pk12 file. See below for converting the pk12 to a pem-file. With the pem-file from Sectigo note that it contains the full chain and that you might need to extract only parts of it for your need.

 

Converting the pk12 certificate to PEM cert/key pair

Sometimes you might need to possess your certificate in the form of PEM files, when one is the public key, and the other is the private key (typically named usercert.pem and userkey.pem). For example, it is needed for the users who use grid/eScience resources directly and need to generate a proxy-certificate for it. The certificate which is installed in your browser by the portal has other format (PKCS12), and comes as a single bundle, with no separation of the public and private parts. To convert it, use the procedure described below with Linux/Mac OS.

1. Move the pkcs12 certificate from your Downloads folder to a place of your preference.

2. You already have a password for the certificate as the Sectigo page requires this.  In command-line interface, go to the directory where your pkcs12-bundle is stored, and run:

openssl pkcs12 -nocerts -in <cert_file.pk12> -out userkey.pem

where <cert_file.pk12> is the name of your bundle (e.g. certs.p12) . It'd ask you first for the import password, and then would ask for the PEM password to your userkey, which you should have decided on already. This would get you a private userkey in userkey.pem file. The PEM password entered is the password for the userkey you should use from now on when manipulating with the key.

3. Now get the public key from the bundle. Run:

openssl pkcs12 -nokeys -clcerts -in <cert_file.pk12> -out usercert.pem

where <cert_file.pk12> again is the name of your bundle. This would get you a public part in usercert.pem file.

Now you can use your public/private PEM files.

Root certificates

If you get complaints that your certificate is signed not by a trusted authority, install the root certificates of Terena and/or DigiCert in your browser/system. They can be found here.

Published Mar. 30, 2015 11:14 AM - Last modified May 10, 2023 10:41 AM