Participate in Grid Computing

If you want to use a digital ID (certificate) to participate in Grid Computing, then you need a special Grid Computing certificate.

Requirements

Several conditions must be met:

  • The identity of the person must have already been verified in a manner that meets the strict requirements of the Interoperable Global Trust Federation (IGTF).

    Unlike the digital IDs for signing emails or documents, it is therefore mandatory that an ID check has taken place and this must be known to the IT portal. This is the case for

    • Persons who have previously received a personal digital ID “Global” in the IT portal,

    • Persons for whom a personal ID check by authorized persons has been logged in the IT portal.

  • In addition, the person must already be known to the system of our service provider Sectigo, namely under the email address username@uni-muenster.de. (The username is the university ID assigned to you by the CIT.)

    This is only exactly then the case if the person has in the IT portal at least once after September 2023 requested a personal digital ID (certificate) for signing emails and has thereby selected exactly this email address username@uni-muenster.de as the main email address.

  • Furthermore, the person must have selected exactly this email address username@uni-muenster.de as the preferred email address in the IT portal and then waited until this preferred email address has arrived in the university's central Shibboleth identity provider (login server), which normally happens within an hour, but in rare cases can take considerably longer.

    Once the Grid Computing certificate has been issued, the preferred e-mail address can be changed back.

Procedure

  1. Open in browser: https://cert-manager.com/customer/DFN/idp/clientgeant

  2. On the page “"Find Your Institution”: Select Universität Münster

  3. On the page “Zentrales Shibboleth-Single-Sign-On der Universität Münster”: Enter username and password

  4. On the page “Digital Certificate Enrollment”, select or enter:

    • Certificate Profile: GÉANT Personal Authentication (for persons) oder GÉANT Personal Automated Authentication (for robots)

      (Attention: Do not select GÉANT Personal email signing and encryption: Certificates with this profile are not suitable for Grid Computing and you can obtain better certificates for signing emails in the IT portal).

    • Term: 395 days

    • Enrollment Method: Key Generation (or CSR, but then it goes on differently)

    • Key Type: RSA-4096 (depending on the desired security level and the technical limitations of the relevant systems)

      (Attention: The EC keys can only sign or enroll, but not encrypt.)

    • Password: The passphrase to use to protect the PKCS#12 file that will be downloaded later.

    • Password Confirmation: The same passphrase again

    • Choose key protection algorithm: Please be sure to select Compatible TripleDES-SHA1, unless you know exactly that your software can handle the new Secure AES256-SHA256 format.

    • I have read and agree to the terms of the EULA: Check and confirm in the popup window

  5. After clicking Submit wait patiently until the finished digital ID is offered for download as PKCS#12 file

The issued digital ID contains the owner:

CN=Givenname Surname username@uni-muenster.de
O=Universitaet Muenster
C=DE
DC=tcs
DC=terena
DC=org

and the email address username@uni-muenster.de. There is no way to include other information.