You are here: Home User Information How-To Documentation How to for Grid Users Grid Certificate FAQ

Grid Certificate FAQ

by John S. De Stefano Jr. last modified Oct 07, 2019 11:18 AM
Frequently asked questions regarding grid certificate requests, installation, and use.

While these instructions have been created largely for the benefit of ATLAS VO members, and mainly within the US, members of other VOs may find them useful and should substitute their VO and CA as appropriate.

How do I replace my expiring/expired certificate with an new certificate from a different CA?

To replace your expiring certificate from a previous CA (e.g., DOEGrids/DigiCert) with a new certificate from a new CA (e.g., CERN):

  1. Obtain and install a new certificate. For US users, see: Obtaining a Grid Certificate
  2. Add your new certificate to your existing virtual organization (VO) membership, and set it as the primary certificate: How to Add Certificates to a VO
  3. For ATLAS data transfers and grid work: ensure that your 'nickname' field in VOMS matches exactly your CERN user account login name.
    Also ensure that your email entry in VOMS matches the email associated with your CERN user account.
  4. If the above steps don't help for ATLAS, and you have multiple certificate DNs or VO identities listed in VOMS, email the VO admins to request that your ATLAS VO profiles be merged. Be sure to specify which certificate DN should be listed as your primary.

For more detail on ATLAS VO steps, see our ATLAS VO procedure or the ATLAS TWiki.

How do I obtain a new grid certificate?

Follow the instructions in Obtaining a Grid Certificate.

How do I renew a grid certificate that is about to expire or that has already expired?

Follow the instructions in Renewing a Grid Certificate.

Unfortunately, if your certificate linked with your existing VO membership has expired or is no longer available to you, and you can no longer log into VOMS using it, you will need to obtain a renewed or new certificate. If your DN or CA in the new or renewed certificate does not match those of the certificate registered to your VO membership, you will need to request that the new certificate be added to your existing VO membership, as explained in How to Add Certificates to a VO.

How do I address errors regarding unknown certificate authorities (CAs) on installing my grid certificate?

When installing your certificate, you may receive a warning or error similar to one of the following:

  • This certificate can't be verified and will not be imported.
  • The certificate issuer might be unknown or untrusted.

To address this problem, you may need to add an exception to permit your browser to connect to the site, or install the certificate authority (CA) chain for the certificate issuer; see our documentation on importing a CA chain.

If you are using a reasonably modern version of Firefox, and you continue to receive error or warning messages regarding certificates after setting the proper CA trust levels, see Firefox and Certificate Warnings.

Why does VOMS complain about a 'bad certificate' or prevent me from accessing the site?

VOMS uses your grid certificate to authenticate you, and to authorize you for VO groups and services. If your grid certificate is not installed in your browser, or if the certificate has expired or is otherwise no longer valid, VOMS can not authenticate you and will not grant you access. You may receive errors referring to a "bad certificate" or 'bad_cert', or complain about connection time-outs or resets. In such cases, please install your certificate in your browser, or renew the certificate if it has expired.

How do I address SSL errors, such as 'SSL peer cannot verify your certificate', when using VOMS or other cern.ch pages?

As the CERN CA is not globally known by default, you'll need to either add an exception in your browser to allow SSL connections from cern.ch, or download, install, and "trust" the CERN certificate from:
https://ca.cern.ch/ca/

Follow the help pages appropriate for your browser to view instructions on installing and trusting the CA certificate.

VOMS and Safari

If you're using the Safari browser and receive an error stating that the browser can't establish a secure connection to the server: note that the current version of VOMS is incompatible with the current version of Safari. Please use another browser for VOMS connections, such as Chrome or Firefox.

How do I re-sign the VO AUP?

If your AUP agreement has expired or needs to be re-signed, please visit this link:

https://lcg-voms2.cern.ch:8443/voms/atlas/aup/sign.action

The link that is currently being sent from VOMS with AUP reminders seems to be broken, in that it has no effect on AUP status or renewing VO membership.

Is it possible to retrieve another copy of an existing, valid OSG certificate?

Yes, but only in PEM and PKCS7 format, and not in PKCS12 after your initial retrieval session has ended. To do so, browse to the OSG PKI Certificate Management page.

Click anywhere on the record for your certificate request, save for the GOC Ticket field, which contains a link to the relevant GOC ticket. From the ensuing page, under Certificates, are buttons for downloading your certificate in PEM or PKCS7 format.

Note that PEM and PKCS7 formats do not include copies of your private key, such that though you may be able to import them into a browser, you will not be able to extract your private key from them for grid use. If the private key for your certificate has been lost or is not available, you may need to revoke that certificate and request a new one, and download that new certificate in PKCS12 format. As this process is likely to disrupt your VO membership, use this option with caution and as a last resort.

    What should I do if I suspect that my grid certificate key pair has been compromised (certificate and/or key file stolen, certificate passphrase hacked, etc.)?

    If your certificate has been compromised, you should report this immediately to OSG in order to protect your grid identity. However, this procedure should not be taken lightly and should be used only in the case of compromise, as the procedure renders your certificate unusable and can not be reversed.

    1. Browse to the OSG PKI Certificate Management page.
    2. Click the Revoke button.
    3. Under Next Action, in the required text area, type Key Compromise, and then click Revoke.
    4. Follow the instructions in Renewing a Grid Certificate for renewing an expired certificate to request a replacement. Be sure to specify in the Additional Comments field that your certificate was compromised and that you have requested its revocation.

    What should I do if I've forgotten my certificate passphrase?

    Unfortunately, there is little that can be done to recover the passphrase you used when you generated your certificate request: only you know what your passphrase is, and it's not passed on to the CA with your request.  If you have forgotten your passphrase, you have two options: jog your memory to recover the passphrase, or use the procedure above to renew your certificate with a new one (taking care to record the passphrase).

    How do I fix an "expired" certificate that hasn't expired?

    When a specific certificate authority (CA) is not universally installed in all browsers, as is the case with DigiCert-Grid, any certificates signed by that authority must be accompanied by a valid CA chain file.  If you are certain that you have a valid, non-expired certificate, and your browser rejects your certificate as "expired," the culprit could be an invalid, expired, or non-existent CA chain.  Please check your browser's Authorities certificate list for an entry for DigiCert-Grid:

    How do I renew my VO membership?

    Before your VO membership expires, you should receive an email from the VO administration as a warning.  Follow the instructions in this email to view the rules for VO membership and re-sign the acceptable use policy (AUP) form.

    If you have deleted, ignored, or not received this email, and your membership has expired, you can try this link to go to your VOMS user home (your browser may prompt you to make an exception for the cern.ch SSL certificate), scroll down to Your AUP acceptance status, and click Request AUP reacceptance.  If this fails, you'll need to open a trouble ticket in the Grid Services queue and ask that the Grid group request that ATLAS reinstate your VO membership on your behalf.

    I've renewed my certificate, but VOMS complains that it 'already exists in VO database. DN should be unique.'

    If you have the same DN in your certificate, but the CA has changed (e.g., CERN's CA changed in 2014), you will need to add your new certificate to your existing membership, using the same DN and new CA, as explained in How to Add Certificates to a VO. If you no longer have your "old" certificate and only have your new certificate with a new DN, you'll need to email the VO admins to have the new certificate added for you, or register the new certificate as a new membership.

    I've obtained a new certificate and new VO membership. Why does the VO continue to email me regarding my expiring membership?

    You may have obtained a new certificate and requested a new VO membership, without adding your new certificate to an existing membership. In this case, you'll have two (or more) separate membership entities, one tied to each of your certificates. You may continue to receive notifications related to your membership tied to your previous certificate. If you're no longer using the older certificate, and you can verify in VOMS that your current membership is valid, you can ignore these emails and permit your prior membership to expire.

    How do I change my institutional status or expiration date?

    or:

    VOMS claims my institutional membership is about to expire! How do I prevent my VO membership from also expiring?

    As ATLAS VO institutional affiliation data is pulled directly from the CERN HR accounts database, you'll need to address this with CERN. You can verify your current affiliation on your CERN account management page, and contact the CERN Users Office or your experiment's secretariat with any questions or concerns.

    How do I request roles or membership in a VO group?

    See our documentation on requesting groups and roles.

    How do I restore an expired or suspended VO membership?

    Your VO membership is tied to your CERN user account. If there is an interruption in your CERN employment or contract, or if it expires, this will trigger a suspension of your VO membership. Check with the CERN Users Office to verify that your CERN account and contract are in good order. Once your CERN account has been verified, email the VO admins to request restoration of your VO membership.

    How do I address DDM errors?

    Rucio, an ATLAS Distributed Data Management (DDM) tool, may report that your Rucio account name or DDM nickname has not been properly set. To address this, before making a DDM request, set your nickname as shown in step 2 of the grid resource guide.

    There have also been reports of issues with ATLAS DDM and certificate DNs containing email addresses, specifically the ‘@‘ character. Your certificate may pass all diagnostic checks, yet DDM requests may fail. It may help to obtain a certificate from CERN’s CA and add it to your VO membership for use with DDM.

    How do I log into GGUS if my certificate has expired or changed?

    The GGUS support site associates your site privileges with a certificate DN, but does not check your VO membership for a DN entry; instead, GGUS stores or records your DN locally with the GGUS service. Thus, if the certificate you have registered with GGUS expires or becomes otherwise invalid, you can log into the site with another certificate DN, but you will lose your accounts settings and any site privileges associated with your previous DN. In this case, contact GGUS support and ask them to add your new certificate DN to your existing GGUS account, or to merge your accounts if you have created more than one associated with multiple certificate DNs.

    Why doesn't my VO membership work with AMI, or another CERN or ATLAS service?

    While various services may use VOMS for authentication, VOMS does not control how this authentication is implemented. If you suspect that your VO membership is current and valid, and you're having trouble with the AMI service or interface, please, try the AMI validation page to confirm your certificate and service membership. The page also includes instructions, troubleshooting information, and contacts.

    Note that the AMI Manager role is not currently in use. If you need a specialized role for AMI (i.e., to create AMI tags), please contact the AMI group.

    How do I troubleshoot problems while renewing my VO membership?

    If you receive strange errors while renewing your VO membership, such as "Your certificate was rejected" or "Error code -12224":

    • Check your certificate in your browser to ensure that the correct certificate is being used, and that it has not expired.
    • Check the CA certificates in your browser to ensure that they are properly installed, and that they have not expired.

    How do I import or export my certificate or key from Safari and other OS X applications?

    See: Certificate and Key Management in Mac OS X.

    I have multiple certificates from different CAs. How do I add another one to my VO membership?

    Follow the instructions in How to Add Certificates to a VO.

    How do I mitigate "Certificate already bound!" errors when adding a certificate to VOMS?

    See this section in the multi-certificate VO page.

    I requested a certificate and haven't received a response, or I need more information about my request. Whom should I contact?

    Unfortunately, our facility is not responsible for the administration of grid certificate requests; we merely provide this information in order to aid our users, and assist users as we can with VO registration and access issues.

    Please contact the OSG Operations Center:

     

    I'm still having trouble with my grid certificate. What should I do?

    Have a look at these resources:

    • When renewing an existing certificate: if you don't renew using the same browser used in order to request the original certificate, you may not be able to renew the certificate properly (since, according to your new browser, the previous certificate doesn't exist!). To renew using another browser (or some earlier versions of the same browser), first import the existing certificate from your file system or old browser into your new browser.
    • For problems with obtaining grid certificates after completing an application, contact the OSG Operations Center.

    If none of these help to address a facility-related problem with your grid certificate, open a trouble ticket in the Grid Services queue and describe your specific issue.

    Related content
    How to for Grid Users
    Document Actions