If you use a CA like the UK e-Science CA (http://ca.grid-support.ac.uk/) that issues X.509 certificates via web browsers, you may find yourself exporting key/certificate pairs from your browser as .p12 files.
To convert a host key/certificate pair, use the following commands:
openssl pkcs12 -in host.domain.p12 -clcerts -nokeys -out host.domain.cert.pem openssl pkcs12 -in host.domain.p12 -nocerts -nodes -out host.domain.key.pem
These files should then be placed in /etc/grid-security and httpd.conf modified accordingly. host.domain.cert.pem can safely be world readable but host.domain.key.pem must only be readable by root!:
chown root.root host.domain.key.pem chmod 0400 host.domain.key.pem
It is conventional to store user certificates and keys which are used by command line programs like htcp in the directory $HOME/.globus
openssl pkcs12 -in export.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem openssl pkcs12 -in export.p12 -nocerts -out $HOME/.globus/userkey.pem
The user certificate can safely be world readable, but userkey.pem must only be readable by you!
chmod 0400 $HOME/.globus/userkey.pem