Why would I need an SSH key or an X.509 certificate?

Some Globus-based applications may use SSH-authorized keys or X.509 certificates to provide access to their resources. To use such services, you need to log in and associate your key or certificate with your Globus ID.

How do I add an SSH key to my Globus account?


If you don’t already have an SSH key, instructions for creating one are available here for Mac OSX, Linux, and Windows systems.
  1. Go to globusid.org.

  2. Sign in with your Globus ID account and select "manage SSH and X.509 keys".

  3. Click "Add a New Key".

  4. Enter a descriptive name in the "Alias" field.

  5. Select "SSH Public key" and copy & paste your public key into the "body" field. Note: On a Mac OS X or Linux/Unix system, your key is usually found in ~/.ssh/id_rsa.pub.

  6. Click "Add Key" to save.

How do I generate an SSH key?

Mac OSX/Linux/Unix

The ssh-keygen command is used to create keys. There are many options for it. We recommend that you run it this way:

$ ssh-keygen -t rsa -b 2048

This will create and store both your public and private keys in your ~/.ssh directory. It will overwrite any existing keys as well. To generate these keys, simply type ssh-keygen -t rsa -b 2048 and follow the prompts. To install the keys to the default location, just press enter when prompted for a file name. We strongly encourage the use of a passphrase.

Some machines may put these files in a different spot. If this is the case, make a note of where it puts them and what it names them. The id_rsa.pub is your public key and the id_rsa (and, if they exist, id_dsa or identity) file is your private key.

Windows Systems


Simply generate your key by clicking "Tools", then "Generate Public Key". Follow the prompts (RSA keys are fine, despite what the text above the selection box says). We strongly encourage the use of a passphrase.

2048 is an adequate key length. Make note of where it’s installing the key. It is probably something like:

C:\Documents and Settings\USERNAME\Application Data\VanDyke\Identity

If you upgraded from an old version, it might be:

C:\Documents and Settings\USERNAME\Application Data\Van Dyke Technologies\Identity

Say "Yes" to the global public key question.

Now, the tricky part. SecureCRT stores your public key in a funky format. You have a few options to get it into the format you need, do any one of the below.

  • Use Berkeley’s SSH-key converter - quick and easy.

  • Copy the public key (identity.pub) to a machine that has OpenSSH installed and run: ssh-keygen -i -f identity.pub > id_rsa.pub

Now, make SecureCRT use the key.

  • Click "File" then "connect", and for each existing entry, in the list (or for new ones you add) click the "Properties" button (it looks like a hand holding a card).

  • In the Authentication section under "Connection", change "Primary" to be "PublicKey". Choose "Properties" and make sure it’s using your global file.

  • Click "Options", "Global Options", and under SSH2 heading, check both boxes in the "Agent" section.

Now, the first SecureCRT session you open will ask the passphrase for the key you generated, and any subsequent ones will not (as long as SecureCRT is running.)


If you converted a previously SSH1 session to use SSH2, check your port forwarding configuration. It may have been messed up. The checkbox for local IP address restrictions should be unchecked. If it’s not, uncheck it.


If you would like to use PuTTY as your ssh client, the first thing you should do is download the latest client. We have found that various older versions create odd problems when trying to use version2 keys. It only takes 10 seconds - no fancy installer, no rebooting.

Close any current PuTTY connections, move the current PuTTY executable (putty.exe) to the recycle bin, and download a new putty.exe from here. Your current preferences and saved connections will not go away. When you open the new PuTTY, all those things will still be there.

While you are grabbing the latest client, also grab PuTTYgen (puttygen.exe), which is the tool you will use to generate a new ssh key pair.

After downloading PuTTYgen, double-click on the PuTTYgen icon. At the very bottom of the dialog box, there is a section called "Parameters". Under "Type of key to generate:", click the radio button for "SSH2 RSA". You should set the "Number of bits in a generated key:" at the default value of 2048 or higher.

How do I add an X.509 certificate to my Globus account

  1. Sign in to your Globus account.

  2. Click here to go to the Manage Identities page.

  3. Click "add linked identity".

  4. Click "Add an X.509 Credential".

  5. Copy and paste the contents of your certificate PEM file (NOT your private key). Note that proxy certificates are not supported. Optionally, enter an identifying label.

  6. Click "Submit" to save

To find your PEM file, run grid-proxy-info at a command prompt. This will print the "path" of your certificate PEM file (e.g. /tmp/x509up_u502), as well as the "type". Make sure that the "type" is "end entity credential", and not some form of proxy. Note that many certificates fetched via the myproxy-logon command are still end entity credentials and can be used for this purpose. List the contents of this file, and then copy and paste the portion of the file between, and including, the lines: —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.

© 2010- The University of Chicago Legal