How not to screw up getting and installing a grid certificate

1. The official GridPP user guide
   
   
2. Apply for a grid certificate. Choose Imperial/Physics as your Registration Authority. (If the webage asks you to save a key (a text file), please make sure you do it. No, I don't know why it is so cumbersome either.)
   If you are a member of a CERN experiment you might also be able to get a certificate through CERN.
   
   
3. If you are based at Imperial, bring your College ID and a photocopy of it to Room 529 so Duncan or Daniela can approve your certificate request. If you are not based at Imperial, please send us a scanned copy of your College ID. (We need to staple it to the paperwork, so we really need a paper copy.)
   
   
4. Once your request has been approved you should receive an email with instructions on how to retrieve your certficate. The exact instructions depend on which tool you used.
   
   
5. At this point you should have a version of your certificate in a .p12 format. If you have your certificate stored in your browser you can generate a p12 file by going to Preferences -> Advanced -> Your Certificates -> Backup. You should definetely have a backup copy of your certificate somewhere.
   
   
6. On an SL6 lx machine (lx00, lx01), make a directory called .globus in your home directory. Copy your p12 to this directory and do:
   openssl pkcs12 -nocerts -in sensible_name.p12 -out userkey.pem
   openssl pkcs12 -clcerts -nokeys -in sensible_name.p12 -out usercert.pem
   Change the permissions on userkey.pem so it can be read only by you (chmod 400 userkey.pem), otherwise it will fail when you actually try and submit a grid job. (It's a security issue.)
   The same instructions apply if you are working from lxplus at CERN.
   
   
7. At Imperial you can check if your VO membership is valid by doing (on lx00 or lx01):
   source /cvmfs/grid.cern.ch/umd-c7ui-latest/etc/profile.d/setup-c7-ui-example.sh
   voms-proxy-init --voms cms ( <--- replace VO name as needed)
   The response should look like:
   Enter GRID pass phrase:
   Your identity: /C=UK/O=eScience/OU=Imperial/L=Physics/CN=daniela bauer
   Creating temporary proxy ....................................................... Done
   Contacting voms2.cern.ch:15002 [/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch] "cms" Done
   Creating proxy .............................................. Done
   
   Your proxy is valid until Wed Mar 1 05:15:10 2017
   If you have a special role within you VO you can test it by using:
   voms-proxy-init --voms cms:/cms/Role=lcgadmin (replace VO and Role as appropriate).