Convert p12

From GridSiteWiki

If you use a CA like the UK e-Science CA ( that issues X.509 certificates via web browsers, you may find yourself exporting key/certificate pairs from your browser as .p12 files.

Host Certificates

To convert a host key/certificate pair, use the following commands:

openssl pkcs12 -in host.domain.p12 -clcerts -nokeys -out host.domain.cert.pem
openssl pkcs12 -in host.domain.p12 -nocerts -nodes -out host.domain.key.pem

These files should then be placed in /etc/grid-security and httpd.conf modified accordingly. host.domain.cert.pem can safely be world readable but host.domain.key.pem must only be readable by root!:

chown root.root host.domain.key.pem
chmod 0400 host.domain.key.pem

User Certificates

It is conventional to store user certificates and keys which are used by command line programs like htcp in the directory $HOME/.globus

openssl pkcs12 -in export.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in export.p12 -nocerts -out $HOME/.globus/userkey.pem

The user certificate can safely be world readable, but userkey.pem must only be readable by you!

chmod 0400 $HOME/.globus/userkey.pem