x509 certificates for researches and employees at UiO
Researchers and others employed at the University of Oslo in some cases participate in international projects using x509 certificates for authenticating users and giving access to web-sites or services in connection to the projects. This page gives a short explanation of what x509 certificates are and how you can obtain one if needed.
What is an x509 certificate
A certificate is a document that certifies you as a entity within an institution. The certification occurs via a chain of trust mechanism, i.e if the authority that issues the certificate is trustworthy then your certificate is valid). Certificate can be used for signing documents, encrypting and getting authorization (i.e. to browse or use web content and services). UiO's certificates are signed by TERENA authority and follow the x509 standard.
The certificates are considered passwords and must be treated in an accordingly secure way. They must never be shared with others or be stored in such a way that they are made accessible for others.
If your certificate and the associated password in one way or another are made known to any other party, you are obligated to inform UiO IT promptly (email@example.com).
Every person with a legally binding relationship with the University of Oslo may obtain a certificate. Certificates are issued for one year, unless the duration of the binding relationship with the UiO is shorter. In the latter case the certificate validity will be adjusted accordingly. After one year the certificate can be renewed provided that you are still qualifying.
Getting an x509 certificate
University of Oslo (UiO) can grant certificates of two types: IGTF compliant grid/eScience and regular. The difference between the two is that grid/eScience can be used for authenticating with scientific computing services. You should ask for grid/eScience (GÉANT IGFT-MICS Personal ) one if you are involved in scientific computing, if not the regular personal certificate will fullfill your needs.
Earlier orders were done through DigiCert (ending April 2020). Now orders are placed via Sectigo.
In order to be able to apply for a certificate through Sectigo you must belong to a specific unix group (usit-fi-x509-personal-user or usit-fi-x509-user). You can check what groups you are member of from the "Brukerinfo" page: https://brukerinfo.uio.no/groups/memberships/
If you are not member for the usit-fi-x509-personal-user or usit-fi-x509-user group, please send a request to firstname.lastname@example.org or contact Maiken Pedersen (email/mattermost) directly.
Steps to request a certificate from Sectigo web page
- At the Sectigo entry page, please select the "Feide" Institution, and not the "FEIDE" one.
2. Fill in the Digital Certificate Enrollment according to needs
You can chose a regular SSL certificate (GÉANT Personal Certificate) a grid/eScience certificate (GÉANT IGTF-MICS Personal) or a Robot Certificate. Set a password if RSA or ECC private key is generated, or upload your CSR. (How to create a CSR - google openssl CSR).
The certificate will be ready at once and be downloaded to your computer (in your Downloads folder). To import it into your browser - follow your browsers procedure to import a certificate.
Converting the certificate to PEM cert/key pair
Sometimes you might need to possess your certificate in the form of PEM files, when one is the public key, and the other is the private key (typically named usercert.pem and userkey.pem). For example, it is needed for the users who use grid/eScience resources directly and need to generate a proxy-certificate for it. The certificate which is installed in your browser by the portal has other format (PKCS12), and comes as a single bundle, with no separation of the public and private parts. To convert it, use the procedure described below with Linux/Mac OS.
Export the installed bundle from your browser (or keychain in case of MacOS). The portal should have given your manuals for how to do it upon the certificate generation. Search Internet if you are in doubt, or contact email@example.com, if you can't solve it yourself. The export should get you a bundle saved as a local file in pkcs12 format. Remember that if the export password is left blank, any person who gets a hand on your bundle could use your certificate! Delete the bundle when the conversion is done.
1. Move the pkcs12 certificate from your Downloads folder to a place of your preference.
2. You already have a password for the certificate as the Sectigo page requires this. In command-line interface, go to the directory where your pkcs12-bundle is stored, and run:
openssl pkcs12 -nocerts -in <cert_file.pk12> -out userkey.pem
where <cert_file.pk12> is the name of your bundle (e.g. certs.p12) . It'd ask you first for the import password, and then would ask for the PEM password to your userkey, which you should have decided on already. This would get you a private userkey in userkey.pem file. The PEM password entered is the password for the userkey you should use from now on when manipulating with the key.
3. Now get the public key from the bundle. Run:
openssl pkcs12 -nokeys -clcerts -in <cert_file.pk12> -out usercert.pem
where <cert_file.pk12> again is the name of your bundle. This would get you a public part in usercert.pem file.
Now you can use your public/private PEM files.
If you get complaints that your certificate is signed not by a trusted authority, install the root certificates of Terena and/or DigiCert in your browser/system. They can be found here.