You are here: Home User Information How-To Documentation How to for Grid Users How to Add Certificates to a VO Membership

How to Add Certificates to a VO Membership

by John S. De Stefano Jr. last modified Jan 15, 2016 07:59 AM
Manage multiple grid certificates (including certificates from multiple CAs) in your VO membership.

If one or more of your grid certificates have recently changed, or you've obtained a new certificate, you'll need to add the additional certificate to your existing VO membership certificate list.

Using your current certificate

If the certificate that is currently registered to your virtual organization (VO) membership is still valid, not expired, and installed in your browser:

  1. Obtain the distinguished name (DN) and certificate authority (CA), or issuer, of your new grid certificate.
    In most cases, you can use OpenSSL to return the DN and CA of your new certificate file with the following commands:
    openssl x509 -noout -in ~/.globus/usercert.pem -subject | sed 's/subject= //'
    openssl x509 -noout -in ~/.globus/usercert.pem -issuer | sed 's/issuer= //'
  2. With your current, valid certificate (i.e., the certificate already registered with VOMS) loaded in your browser, browse to https://lcg-voms2.cern.ch:8443/voms/atlas/user/home.action
    It's important to complete this step with your current certificate that's registered with VOMS: if you authenticate to VOMS with your new certificate instead, VOMS will not recognize the certificate and prompt you to create a new VO membership request.
    If your browser warns you of a privacy issue on the VOMS Admin site at CERN, add an exception (temporary or permanent) for the site, or import the CERN CA chain into your browser.
  3. Scroll down to Certificates, and click Request New Certificate.
  4. If you have the new certificate file in .PEM format, under Certificate File, click Browse, select your local certificate file, and click Request Certificate. Otherwise, continue to the next step.
  5. In the Subject field of the new record, enter (or copy and paste from step 1) the full Distinguished Name (DN) of your new certificate.  For a CERN-issued certificate, this would be similar to the following:
    /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=nickname/CN=012345/CN=Your Name
  6. In the CA field of the record, choose the name of the Certificate Authority or issuer of your new certificate, as determined in step 1.
    Warning: choosing the incorrect CA at this phase may negatively impact your ability to successfully add your certificate to a VO membership. As multiple versions or variants of some CAs may be shown in the CA list, please take care that the CA you choose matches exactly that shown as the "issuer" of your certificate.
  7. Click Request Certificate.

A VO administrator will review your request. Once approved, you can begin using your new certificate for grid work and VO authentication, and delete previous certificates certificates from your VO membership, your file system, your browser, and other applications as desired.

Adding without current certificate

If your current certificate or VO membership has expired, or you do not have your certificate installed in your browser and can not access the certificate files to install them, please send an email to the ATLAS VO Administrators group to request that your new certificate be added to your existing membership. Be sure to include the DN and CA of the new certificate to be added.

Deleting obsolete certificates

To remove any expired or obsolete certificates from your VO membership (taking care not to accidentally delete your current certificates):

  1. Click Member Info --> Certificates --> Delete Certificate, accept the defaults, and click Submit,
  2. Enable the appropriate certificate box under Select, and then click Submit to delete the selected certificate.

Certificate already bound! errors

If you encounter an error from VOMS when adding a certificate, claiming that the certificate is "already bound" to your account, you're likely trying to add a certificate DN/CA combination that is already registered to your VO membership, i.e., a certificate that has been renewed without the DN and CA having changed. In this case, your new certificate does not need to be added to the membership again.

If the certificate has expired before renewal, and your VO membership has been suspended as a result, contact the ATLAS VO Administrators group to request that your membership be restored.

Document Actions