eScience Registration Authority

Birmingham Particle-Physics eScience Registration Authority

We can handle local requests for e-Science digital certificates, which covers personal certificates and server certificates. (This is not to be confused with the Janet Certificate Service, which can provide certificates for servers outside e-Science).

You can apply for an e-Science digital certificate and use our Registration Authority as your selected RA if all the following are true:

  • you are eligible for an e-Science digital certificate under their terms: see their web site. In brief, you need to be involved in an e-Science-related project.

  • you have been informed that you need a digital certificate issued by UK e-Science Certification Authority. This authority is a member of EuGrid and IGTF.

  • you are a current member of the University of Birmingham with a valid university photo ID card,

  • you are currently in Birmingham and can attend a short face-to-face meeting, bringing your ID card.

If one or more of the above requirements is not true, then you should consider applying instead to another authority: for example, the CERN Certification Authority if you are at CERN.

Please note that getting a digital certificate does not itself entitle you do anything, on its own. So do not request one unless you have been told you need one. A digital certificate merely establishes your authentication or identity: authorisation to use any particular facility is a separate step. Facilities outside the e-Science community are unlikely to accept certificates issued by the e-Science certification authorities as they are not (currently) in the well-known root authorities lists.

Tips for Personal digital certificates

  1. Use an eScience-supported browser, like Firefox. If you have not done so already, you should set a browser Master Password for the Software Security Device. This is the browser's way of keeping your certificate and possibly other unrelated information more secure in its own internal files (in your $HOME/.mozilla filespace). You will need the browser Master Password subsequently at most once per day, maybe less often, when the browser requests it, so make it memorable. In Firefox use Edit > Preferences > Advanced > Security > and tick Use a master password. If it's already ticked, then leave it as it is.

  2. Get the UK e-Science Certification Authority's own certificates into your browser using:
    Get eScience Root certificate and then
    Get eScience 2B certificate
    The browser should ask you to confirm you trust these certificates. Tick all the Trust boxes you are asked about. For MacOS users, these certificates will need to be added to your Keychain (most easily done by double-clicking on them in Finder) and then specifically 'trusted'.

  3. Then Apply for or Renew a certificate. Select Request a New User Certificate or Renew Certificate as appropriate. Fill in the fields for
    • full name: if you have multiple surnames then make the surnames the same as on the ID you will use,
    • email address: use one that will remain valid throughout the life of this certificate,
    • Registration Authority: if you are in Birmingham, you can choose Birmingham Particle Physics as the Registration Authority (RA). If you are elsewhere in the UK, then choose an appropriate one. Whereever you choose, you will need to present an ID to that RA to prove who you are, in a form that is recognised by that RA, such as a local ID card.
    • the PIN you choose is just to prove to the RA when you visit him that you are the person who filled in this form, so keep it simple!
    • your password (different to the PIN) will be used to retrieve your certificate after it has been issued so make a note of it.
    • and then click 'Submit Request'
    • After submitting the request, a long 'private key' will be shown in the text box which you should save or copy and paste to a separate file. This will also be needed when retrieving your certificate.
    • Your certificate request will need to be Approved by the RA. For Birmingham PP this is Mark Slater. For a new certificate you will need to visit him in person. Bring your photo ID with you: preferably your university ID card. If the photo on the ID card is not clear, you should bring your passport or driving licence as well. That will then be photocopied onto the middle of an A4 sheet of paper. This ID record will then be kept for as long as you have a current (unexpired) certificate, plus 3 years after that. If you think approval for your certificate is taking a long time, please contact Mark Slater directly to check.

    • For the location, see this travel page.

  4. When you receive a new email from the UK-eScience-CA grid-support, telling you your signed certificate is ready to download, use the link in that email in your normal browser (whichever you used to apply for the certificate) or click here. In this page you will need to give the serial number provided in the email, the email address used, the password for the certificate and the private key that was generated with the request.

  5. In the future you will receive emails warning when your certificate is about to expire. At this time you should go back through the process above but this time click 'Renew Certificate'.
  6. After downloading your new certificate you will need to import it into your browser. This will depend on both browser and operating system. For MacOS you should be able to just double-click on it in Finder and it will be imported into KeyChain. For Windows, you'll have to import it into your specific browser. For Chrome you should go to Settings -> Security -> Manage Certificates -> Import. For Firefox, go to Options -> Privacy and Security -> View Certificates -> Your Certificates -> Import.

  7. Check your browser certificate works at the View Your Certificate web page. This should ask you to present your certificate and then show you the details from it. If you get a Alert error message (for example, "host has received an incorrect or unexpected message") then your certificate is not (yet) correctly installed.

  8. If you are a Grid user, you will have to convert that exported certificate to PEM format. For PP group users, there is a command script to make this easy - simply log in to one of the machines and use the command 'userP12toPEM'. This will generate the PEM files and place them in the $HOME/.globus folder where the grid tools will look for them.