Menu

Instructions for requesting personal X509 certificates

INFN, through GARR, benefits from the contract stipulated by GÈANT (Association of European Education and Research Networks) with the HARICA certification authority.

You can independently request personal X509 certificates suitable for email and web authentication, or personal GRID certificates, using the dedicated HARICA web portal: https://cm.harica.gr

To access the dashboard, click “Academic login” and choose INFN as your institution: you will be asked for your AAI credentials.

Certificates are issued in two phases:

    1. Sending the request
    2. Validating the email address and issuing the certificate

Phase A varies depending on the type of certificate requested, while Phase B is common to both types.

Phase A

Requesting a personal certificate suitable for email (signature/encryption) and web authentication

    1. In the left column of the dashboard, click Email
    2. In the list that appears on the right, choose Email-only
    3. Verify that the address associated with the certificate is correct and click next
    4. Click nextagain to accept the proposed validation method (via email)
    5. Check the Agreement to the Terms of Use box and submit the request

Requesting a personal certificate for GRID authentication (IGTF)

    1. In the left column of the dashboard, click “IGTF Client Auth
    2. Select “GÈANT Personal Authentication
    3. Check the Agreement to the Terms of Use box and submit the request

Phase B

Once the request is submitted, you should receive an email with a link to verify your email address. It may take a few minutes for the message to arrive.

In the meantime, the “pending certificates” section will appear on the dashboard at the bottom, with a certificate (S/MIME or IGTF) request pending.

When the email arrives, click the link and then the confirmation button.

At this point, the “enroll your certificate” button will appear on the dashboard for the pending certificate. 

Click the button and a window will appear where you can choose whether to generate the certificate request (CSR) through the website, or enter it manually after generating it separately, along with the private key, using the openssl command, as described below.

If you are unfamiliar with the openssl command, it is best to choose the first option (Generate Certificate). Leave the “Algorithm” and Key Size”  fields unchanged and set a password that will later be used to import into your browser the certificate and private key contained in the .p12 file provided by the procedure.

Click the checkbox indicating that HARICA claims it does not have access to this password. 🙂

At this point, you can click “Enroll certificate” and download the .p12 file, completing the procedure.

If you prefer to generate the CSR and private key yourself, you can use openssl (available on Linux and Mac systems, but can also be installed on Windows) by issuing this command:

openssl req -newkey rsa:8192 -keyout key.pem -out csr.pem -subj "/CN=Name Surname"

where “Name” and “Surname” should be replaced with your first and last name.

You will then obtain two files, key.pem and csr.pem, containing the private key and the certificate request, respectively. Now, in the previous procedure, instead of choosing “Generate Certificate” choose the option to manually enter the CSR and copy the contents of the csr.pem file into the appropriate box.

By proceeding similarly to the previous case, you will finally be able to download a .pem file containing only the certificate and not the private key (which you already have).

To generate the .p12 file, needed to import the certificate into the browser or email program, you must use the openssl command again:

openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12

where cert.pem is the file containing the certificate you just downloaded, key.pem is the file with the private key generated by you, and cert.p12 is the .p12 file containing the certificate and private key that you will obtain and import into the browser.