How do I create a CSR?

You should consider using the OpenSSL toolkit for the creation of certificate signing requests. OpenSSL comes pre-installed with most Linux distributions and MacOS X. The OpenSSL project also offers an OpenSSL for Windows download.

Once you have OpenSSL installed on your platform, use it to generate a CSR by typing:

openssl req -new -newkey rsa:2048 -keyout userkey.pem -out usercert_request.pem -subj /CN=bla

Note: If Confusa uses the Comodo-CA, the subject of the request can be arbitrary, as shown above, because Confusa will replace it with real values matching you, once it issues the certificate!

How to export certificates from the keystore

Firefox: Go to "Preferences/Advanced/Encryption/View Certificates/Your certificates". Then press "Backup" on the certificate you want to backup, which will create a PKCS#12 file on your harddisk. Then follow the steps here.
Opera: Go to "Preferences/Advanced/Security/Manage Certificates". Select your certificate and click "Export". Select PKCS#12 format. If you need the certificate for Grid submission, follow the steps here.
Internet Explorer: Go to "Internet options/Content/Certificates". Click the certificate you want to export and click "export". When asked, whether to include the private key, confirm the message. Select PKCS#12 format and "enable strong protection". If you need the certificate for Grid submission, follow the steps here.

How to convert between PKCS#12 and X.509

If you have a PKCS#12 certificate but want it in PEM format (e.g. for Grid job submission), do the following:

Private key:

openssl pkcs12 -nocerts -in cert.p12 -out ~user/.globus/userkey.pem


Public key:

openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~user/.globus/usercert.pem


Subsequently, give them the right permissions:

chmod 0600 userkey.pem
chmod 0644 usercert.pem