Security/ProxyFileFormat

The Globus Toolkit expects files containing credentials in /tmp/x509up_u<uid> or $X509_USER_PROXY to be of the following format: PEM-encoded certificate, followed by PEM-encoded private key, followed by zero or more PEM-encoded certificates that form a chain from the first certificate to an end-entity certificate.

The PEM encoding is a base64 encoding of the DER encoding of the certificate and PKCS#1 RSAPrivateKey with additional header and footer lines.

The order of the PEM blocks in the file is significant. The matching certificate and private key must appear first, followed by the certificate chain starting from the next certificate and ending with the end entity certificate.

In the case the first certificate is an end entity certificate (i.e., the end entity certificate is being used directly without any proxy certificates), then only the end entity certificate and private key appear, without any additional certificates. (In this case the "proxy file" contains an "end entity credential" rather than a "proxy credential".)

Examples

Proxy Credential

-----BEGIN CERTIFICATE-----
MIICcDCCAhqgAwIBAgIEU6SeXjANBgkqhkiG9w0BAQQFADCBojENMAsGA1UEChME
R3JpZDETMBEGA1UECxMKR2xvYnVzVGVzdDEmMCQGA1UECxMdc2ltcGxlQ0EtY2Fu
dmFzLm5jc2EudWl1Yy5lZHUxFjAUBgNVBAsTDW5jc2EudWl1Yy5lZHUxEzARBgNV
BAMTCkppbSBCYXNuZXkxEzARBgNVBAMTCjE3OTQxODMyNTgxEjAQBgNVBAMTCTYw
OTUyMTIwNDAeFw0wODAzMTgxNDMwNTZaFw0wODAzMTgxNTM1NTJaMIG3MQ0wCwYD
VQQKEwRHcmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSYwJAYDVQQLEx1zaW1wbGVD
QS1jYW52YXMubmNzYS51aXVjLmVkdTEWMBQGA1UECxMNbmNzYS51aXVjLmVkdTET
MBEGA1UEAxMKSmltIEJhc25leTETMBEGA1UEAxMKMTc5NDE4MzI1ODESMBAGA1UE
AxMJNjA5NTIxMjA0MRMwEQYDVQQDEwoxNDAzMjk3Mzc0MFwwDQYJKoZIhvcNAQEB
BQADSwAwSAJBAMc0n9W1E1KjK6saavXXZ/QhLjJ/TK40uW29l/wduSrHWCu1e5Kr
6r0Oi/4KEjhk8+sgH7b0uqlNdSGZUDXdui0CAwEAAaMhMB8wHQYIKwYBBQUHAQ4B
Af8EDjAMMAoGCCsGAQUFBxUBMA0GCSqGSIb3DQEBBAUAA0EAYc1tdyGciLL8Jx7R
uuBJM5mWXFAVx09nTPc5tI0ohKRpFYO8Y8gJf9tBa2K8L1EJVqDquSfV+HMAsCaJ
BGcj2w==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIBOQIBAAJBAMc0n9W1E1KjK6saavXXZ/QhLjJ/TK40uW29l/wduSrHWCu1e5Kr
6r0Oi/4KEjhk8+sgH7b0uqlNdSGZUDXdui0CAwEAAQJAVRr/ek7tHW4GtwgHUFah
2+PdF8fZG8f8vIy2hQix1jspIMC542bylMgtdNQaHX0dWYUhaI5QKc6UXPYZddIV
IQIhAOxVW8PKZEPYNpPT3rTk78Nm3jygQGbQQ9rlBtAJZeO1AiEA18hTfqLiwc4G
QlfjrGG4EslNY8zW08viAHYri2lR95kCIHMXrrTO371aklmzmIWn6EvU0O3dbP+k
9Sao2oR9zyzxAiATN+9fzwgdNMlP7V4Ew2tOmQlAg0T69iS538x/DTFUuQIgSa6K
GFZSjk6aA3Q7nD0y9WaamfIzalSKppElFbEk0Mc=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICRzCCAfGgAwIBAgIEJFSONDANBgkqhkiG9w0BAQQFADCBjjENMAsGA1UEChME
R3JpZDETMBEGA1UECxMKR2xvYnVzVGVzdDEmMCQGA1UECxMdc2ltcGxlQ0EtY2Fu
dmFzLm5jc2EudWl1Yy5lZHUxFjAUBgNVBAsTDW5jc2EudWl1Yy5lZHUxEzARBgNV
BAMTCkppbSBCYXNuZXkxEzARBgNVBAMTCjE3OTQxODMyNTgwHhcNMDgwMzE4MTQz
MDU1WhcNMDgwMzE4MTUzNTUyWjCBojENMAsGA1UEChMER3JpZDETMBEGA1UECxMK
R2xvYnVzVGVzdDEmMCQGA1UECxMdc2ltcGxlQ0EtY2FudmFzLm5jc2EudWl1Yy5l
ZHUxFjAUBgNVBAsTDW5jc2EudWl1Yy5lZHUxEzARBgNVBAMTCkppbSBCYXNuZXkx
EzARBgNVBAMTCjE3OTQxODMyNTgxEjAQBgNVBAMTCTYwOTUyMTIwNDBcMA0GCSqG
SIb3DQEBAQUAA0sAMEgCQQDEOBR2jLXIq5Exfe50eJ+1EibZqs1RMB1phqbWY4Hf
AgdqzDU2EpOgMzxmto1Eq2YfJiqAnTEqKGzhhR5DYKUdAgMBAAGjITAfMB0GCCsG
AQUFBwEOAQH/BA4wDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQQFAANBACBexIL+
TVyu0Bh0UUM89HhfYlNc+nxg7BRon6U2WTPKOo53Nllj+lV8EeqmFf12+zD68IKZ
8nG1HMR0OFkl5rw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICXjCCAcegAwIBAgIEavEQWjANBgkqhkiG9w0BAQQFADB5MQ0wCwYDVQQKEwRH
cmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSYwJAYDVQQLEx1zaW1wbGVDQS1jYW52
YXMubmNzYS51aXVjLmVkdTEWMBQGA1UECxMNbmNzYS51aXVjLmVkdTETMBEGA1UE
AxMKSmltIEJhc25leTAeFw0wODAzMTgxNDMwNTJaFw0wODAzMTgxNTM1NTJaMIGO
MQ0wCwYDVQQKEwRHcmlkMRMwEQYDVQQLEwpHbG9idXNUZXN0MSYwJAYDVQQLEx1z
aW1wbGVDQS1jYW52YXMubmNzYS51aXVjLmVkdTEWMBQGA1UECxMNbmNzYS51aXVj
LmVkdTETMBEGA1UEAxMKSmltIEJhc25leTETMBEGA1UEAxMKMTc5NDE4MzI1ODBc
MA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDA6ypSLoaTzE5K0agRfGOriDboI92RCWza
fIInh24vMR9dwbwqu7D1ZkBoSc0VmWhX7ONy6+z9UV7oewsXdDKtAgMBAAGjITAf
MB0GCCsGAQUFBwEOAQH/BA4wDDAKBggrBgEFBQcVATANBgkqhkiG9w0BAQQFAAOB
gQA3aUG2Ej5KGcfCLrKOVr9DeVPVSufPn92jAICek/kiiv4rwJGoroQYyPzYPd4/
uPIXbQ9bG080zt37eMmAZrwDfieTisDRuTNweX4y23tlxN0Ob2VQ6i11Uc7E01NC
la7dZEFMQAvG1g5mL7qrmXgZE6w7crS3lisF9qz6R6m82Q==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICazCCAdSgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBnMQ0wCwYDVQQKEwRHcmlk
MRMwEQYDVQQLEwpHbG9idXNUZXN0MSYwJAYDVQQLEx1zaW1wbGVDQS1jYW52YXMu
bmNzYS51aXVjLmVkdTEZMBcGA1UEAxMQR2xvYnVzIFNpbXBsZSBDQTAeFw0wNzA1
MzAxNDI5MjVaFw0wODA1MjkxNDI5MjVaMHkxDTALBgNVBAoTBEdyaWQxEzARBgNV
BAsTCkdsb2J1c1Rlc3QxJjAkBgNVBAsTHXNpbXBsZUNBLWNhbnZhcy5uY3NhLnVp
dWMuZWR1MRYwFAYDVQQLEw1uY3NhLnVpdWMuZWR1MRMwEQYDVQQDEwpKaW0gQmFz
bmV5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvgJ/ADij832USceZyBoKq
cCs4LqPKiNBerhpGdfRIq2eu08I9u3qKeKBNxabflCMgMnYnKIGRxLAbQDH1Z2Io
mopW9eF25zm6aupU0e08U0y1F36gB+b0wSl71uMZtrTYE+Wb3woLFT+jcnxgvi5X
+gxlgdNp4BVZUl28FrEuowIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJ
KoZIhvcNAQEEBQADgYEAiVhf6rWOtE96vRRvJh/saLB+oKjBEw3CWac7XLIDQ6ic
F/pxGWjumJMwgmwA+g1OmMqKA2YuproRPZCwJgfwzChAKDKo6HJ9IQRgX1IjXBXh
4td1Y+3zag2BfjuZqje768Es4SePCq+Zfd3YJyr3ydN8wqnCrhX8GEQrg+BPBmw=
-----END CERTIFICATE-----

The example above contains:

• RFC 3820 proxy certificate with Subject: O=Grid, OU=GlobusTest, OU=simpleCA-canvas.ncsa.uiuc.edu, OU=ncsa.uiuc.edu, CN=Jim Basney, CN=1794183258, CN=609521204, CN=1403297374
• private key corresponding to the above proxy certificate
• RFC 3820 proxy certificate with Subject: O=Grid, OU=GlobusTest, OU=simpleCA-canvas.ncsa.uiuc.edu, OU=ncsa.uiuc.edu, CN=Jim Basney, CN=1794183258, CN=609521204
• RFC 3820 proxy certificate with Subject: O=Grid, OU=GlobusTest, OU=simpleCA-canvas.ncsa.uiuc.edu, OU=ncsa.uiuc.edu, CN=Jim Basney, CN=1794183258
• RFC 3280 end entity certificate with Subject: O=Grid, OU=GlobusTest, OU=simpleCA-canvas.ncsa.uiuc.edu, OU=ncsa.uiuc.edu, CN=Jim Basney

End Entity Credential

-----BEGIN CERTIFICATE-----
MIIEUjCCA7ugAwIBAgIBAzANBgkqhkiG9w0BAQ0FADBoMQ0wCwYDVQQKEwRHcmlk
MRMwEQYDVQQLEwpHbG9idXNUZXN0MScwJQYDVQQLEx5zaW1wbGVDQS1wa2lsYWIy
Lm5jc2EudWl1Yy5lZHUxGTAXBgNVBAMTEEdsb2J1cyBTaW1wbGUgQ0EwHhcNMTAw
OTEzMTQwMjM2WhcNMTAwOTE0MDIwNzM2WjBfMQ0wCwYDVQQKEwRHcmlkMRMwEQYD
VQQLEwpHbG9idXNUZXN0MScwJQYDVQQLEx5zaW1wbGVDQS1wa2lsYWIyLm5jc2Eu
dWl1Yy5lZHUxEDAOBgNVBAMTB2piYXNuZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCjnVpS0bh4Pgmg5kuyFo2mHzKNolnYUlBJdjAWDh5AoRaij0n2
aAdypXGs9Nud/11ei4lfrZVhbKZUznMeFJuXr0qVzXUDEwsj61QAyF0aK5JZtmYH
OkKTpUnyyRirtfCHcubDYu4QAkc8uIYlWW/7sn3mhqR3Lg9O5rQase5fSPxsfBF8
WUooT/I8YbIgO3uhRcrWwDImo75DbKz1hIl4UtQauRnW2WvhJkCLjWdyQFnDl/RE
qT98CykXnMKo8YU3jcyp3VP/XFrZD6RmHwsWfM5glDx7AjQK0eJit7xC3sn0WZmW
8m/xU3Hd6+raJ3bVqy5YscJXzv/lyyqynCmfAgMBAAGjggGPMIIBizALBgNVHQ8E
BAMCBPAwHQYDVR0OBBYEFGGqFsJ9GKCS6SWmXICFiXfGlDYAMIGaBgNVHSMEgZIw
gY+AFMSHeCE5ZHjYhm3B2ZHdIuySdfIZoWykajBoMQ0wCwYDVQQKEwRHcmlkMRMw
EQYDVQQLEwpHbG9idXNUZXN0MScwJQYDVQQLEx5zaW1wbGVDQS1wa2lsYWIyLm5j
c2EudWl1Yy5lZHUxGTAXBgNVBAMTEEdsb2J1cyBTaW1wbGUgQ0GCCQCqC6teOC9U
oTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY2EubmNzYS51aXVjLmVkdS80YTZj
ZDhiMS5yMDAgBgNVHREEGTAXgRVqYmFzbmV5QG5jc2EudWl1Yy5lZHUwRgYJKgME
BAMCAQcIBDkMNzxzYW1sOkFzc2VydGlvbiBJRD1lNTIxOTZhNi0xODFhLTRiZTQt
OTYwNy00YzRhZjQ3MWQxYjYwIAYDVR0RBBkwF4EVamJhc25leUBuY3NhLnVpdWMu
ZWR1MA0GCSqGSIb3DQEBDQUAA4GBAKjzxnMPmqXkFO4bktuEgRihdrcfyUqUyIZP
y1ijlo2ZTcAGT0uCp7w4KyyDmLkaEL8kN1YvDTXHpP6OtPO5BvZX56o/lpJ1gAoP
mQ1+88PWblT9GiFVzxBbRl9HmzWAZGUUaHzpreF3J5+pX0hgYZOxb5GcU1KJPeiA
AJxaEKZ/
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAo51aUtG4eD4JoOZLshaNph8yjaJZ2FJQSXYwFg4eQKEWoo9J
9mgHcqVxrPTbnf9dXouJX62VYWymVM5zHhSbl69Klc11AxMLI+tUAMhdGiuSWbZm
BzpCk6VJ8skYq7Xwh3Lmw2LuEAJHPLiGJVlv+7J95oakdy4PTua0GrHuX0j8bHwR
fFlKKE/yPGGyIDt7oUXK1sAyJqO+Q2ys9YSJeFLUGrkZ1tlr4SZAi41nckBZw5f0
RKk/fAspF5zCqPGFN43Mqd1T/1xa2Q+kZh8LFnzOYJQ8ewI0CtHiYre8Qt7J9FmZ
lvJv8VNx3evq2id21asuWLHCV87/5csqspwpnwIDAQABAoIBAGWPomawagqxr7Zh
3fDxEQJicTX75jtidRX0uEqoftztYaiMu4Op9Z2T1yleYQkFYAb1JNPwYz6ze9g+
wrSUZDTXCbxNaen7ozmrtVw7A5fgHht0Hoc0Aem2e12quJa1/FWH3HjCazYiw+eM
PzDmAJ5DoOU9BNA6FiSLDpdXhbk9DeaUlE2HwMN+OmfodoHcTXyEzlWZgUIVDspP
EtnWijINp5anAfEDdxLCMD14Q4xrzD0r9z/a0JC21R4dO5ANBQotPW6mjviQk0qC
+UyL4HizBe/6kA9KTKH1vp7Qb4Dni22k3yxcbpqcA4T+niD6K7RfFbUhXBbViHeK
ET33+HkCgYEAzTftMH9o0pcHk9jQsTXdZcY/9jGPBlEYSfnjdjJ9Q/Vwg9pqdaVI
Rykbw8fARyEHoPWQF+Jz4sx2vsDGk3leGa3SgZRmFE+Wee1Oiictv1QXFZzQb4kv
b3zkRcbR1wvefqjBVg4t97QB88aUk9kWJBYvugTK+1k/+ZWFPwzfK5sCgYEAzBnu
E/p6fJGcJwxy5vYxaP988v5DJQCxY3Bev6hIAYnOoBfXH6JiBAA7JmwwWIB/Z82i
Cii3aGGG38u8qzXKH5T4CnAdVRm3V84emmP2XizJpf46i/JRdMps5nCLz580UkkV
AIn4zSYc1t7v91lRIOrsV3LMjBrCZ2yx01tS5E0CgYEAov7ZqFx6EFGe1iIuV6I1
0AEvikaAl/7PMOqGbLnbXp/SFxfi2MBHcSXIhK7iHFyyp3iDU0Us0CWf5xBMaJPM
Vs8F1J/emCFCnmMKr5ZAsqeCkkr0DrLCd2WWFYm933Tw6l70+HnYrtZNeqbuGaQh
/tWUYMYvxoVz17OXmqWJmCMCgYB2e7MO3ACRIgJxVLO7Sj5CwtYpRdt6tp1Dqa8H
OcybQAG4RD64+Y5G3k94LaQfLHFJtEEV/q8CJGOktWRQS8iLbvJTNOSCS4x4p4py
fAdAgmWJPD2GkmQhFYYEfF9dZwF7pztO9cl+ZlqljgPmJm6HWnlbBqShzMMAQUQ1
+zTynQKBgFqnJ2yjPHZom2uNi7fi8J3nnATZroQattGExxoZmgd5TgFEKThulp6P
77ZyVyq81pGe1ArhJZlu35Dvy8LU+oVP/GoJF7trgsbQXUxhbCbE8Zl74cf/rcmP
8JwYAK1cuXyUDguMlciTfwvMeWExO3xYa8185IUinwW6g5j+ng41
-----END RSA PRIVATE KEY-----

The example above contains:

• RFC 3280 end entity certificate with Subject: O=Grid, OU=GlobusTest, OU=simpleCA-pkilab2.ncsa.uiuc.edu, CN=jbasney
• private key corresponding to the above end entity certificate

See also Security/ProxyCertTypes.