The client side interaction is handled by CERN IT (Laurence Field atm). I am not sure how their whole system works, but the main point is that the client ends up booting an image: * contextualized by a user_data file which basically just specify the cvmfs path to use, and contain the MrBoincHost certificate and key (see below) * Start a pilot bootstrap script available here:

Generate the MrBoinc host certificate

This certificate/key needs to be given to IT to add in the contextualization file.

Work into /path/to/boincCertificate and there:

mkdir MrBoincHost

Create the openssl_config_host.cnf file in the MrBoincHost/ directory:

# Generate the key
openssl genrsa -out MrBoincHost/hostkey.pem 4096
chmod 400 MrBoincHost/hostkey.pem

# Create the request
openssl req -config MrBoincHost/openssl_config_host.cnf -key MrBoincHost/hostkey.pem  -new -sha256 -out MrBoincHost/request.csr.pem

# Sign it
openssl ca -config ca/openssl_config_ca.cnf \
     -extensions server_cert \
     -in MrBoincHost/request.csr.pem \
     -out MrBoincHost/hostcert.pem

This self-signed host certificate (MrBoinc Host) must then be saved on any BOINC VM in /etc/grid-security. Do not forget to add it to the list of trusted host for ProxyDelegation in the dirac.cfg of the gateway