You are here: Home User Information How-To Documentation How to for Grid Users CERN Certificate Information

CERN Certificate Information

by John S. De Stefano Jr. last modified Jun 21, 2016 11:51 AM
How to request, install, and renew grid certificates issued by CERN.

US ATLAS Transition to CERN CA

Note that US ATLAS has ceased to use OSG-supplied user certificates, in favor of certificates issued by the CERN certificate authority (CA). Thus, ATLAS users will no longer be able to obtain user certificates from OSG. For more information, please see our certificate CA migration page.


The CERN Certificate Authority site provides pages and tools for requesting and managing grid certificates.

Requesting a Certificate

To obtain a new CERN certificate:

  1. Browse to the CERN Certificate Authority interface:
  2. To access the interface, enter your CERN NICE user account single sign on (SSO) user name and password.
    Note: see our page on user certificate eligibility.
  3. Once logged in, click New Grid User Certificate in the site top navigation menu, or browse to:
  4. Enter and confirm a certificate password. This is not the same password as your CERN NICE account, and should be treated with care: remember it, as you will need this password in order to use your certificate, and protect it, as it can be used to identify you on the grid.
  5. Click Get Grid User Certificate.
  6. You will be prompted to download a certificate file, which contains your new certificate/key pair in PKCS12 format. A record of this issued certificate is kept on the CERN CA My User Certificates page.

Installing a Certificate

See our page on certificate installation.

Renewing a Certificate

To renew or replace an existing, valid CERN certificate, follow the instructions to obtain a “new” user certificate, which essentially just renews your existing certificate, extends its expiration date, allows you to download the certificate files, and does not (or should not) change your existing DN or CA.

Revoking a Certificate

In the case that your existing CERN certificate/key pair has been stolen or compromised, request revocation of the certificate:

  1. Browse to the CERN CA My User Certificates page.
  2. Click the entry for your current, valid certificate.
  3. Under Certificate Tasks, click Revoke Certificate, and confirm this action in the proceeding dialog.

Converting a Certificate

To convert the new certificate for use in grid jobs:

  1. Use the openssl pkcs12 command to convert the certificate and its key:
    openssl pkcs12 -in [your-cert-file] -clcerts -nokeys -out ~/.globus/usercert.pem
    openssl pkcs12 -in [your-cert-file] -nocerts -out ~/.globus/userkey.pem
    In response to each command, you will be prompted for two passwords:
    • Enter Import Password: This is the password you created when you exported your certificate from your browser.
    • Enter PEM passphrase: This is the optional Challenge Phrase Password you created when you first requested your certificate from the CA.
  2. Change permissions to protect the converted key file:
    • In Linux/UNIX/Mac:
      chmod 600 userkey.pem
    • In Windows:
      1. Right-click the file userkey.pem, and choose Properties.
      2. Change the Permissions settings so that you have Read and Write permissions, and that no permissions at all are selected for Group and World.

Gaining VO Membership

To gain access to virtual organization (VO) resources, and use your certificate to join a VO, see steps 3 and 4 of our Grid Certificate FAQ entry.

Adding a Certificate to a VO Membership

To add your new certificate to your existing VO membership via VOMS, see:

Certificates and VOMS in OS X

In some browsers in OS X that use the inherent system keychain for certificate storage, such as Safari and Chrome, you may see an error indicating that the browser can't verify the identity of the VOMS web site. You may need to change the "trust" settings of the CERN CA chain files, including the CERN Root CA, the CERN Trusted Certificate Authority, and the lcg-voms certificate. When you receive the error dialog, click Show Certificate, and then for each of the certificates in the chain, click Trust, and change the value of "When using this certificate" from "Use System Defaults" to "Always Trust". Alternatively, you may be able to click a check-box for Always trust "CERN Root CA" if one appears. After changing the value for all certificates in the chain, click Continue.

Additional Information

For troubleshooting and questions and answers, see:

Document Actions