You are here: Home User Information How-To Documentation How to for Grid Users OSG Certificate Information

OSG Certificate Information

by John S. De Stefano Jr. last modified Jun 21, 2016 11:05 AM
How to request, install, and renew grid certificates issued by OSG.

US ATLAS Transition to CERN CA

Note that US ATLAS has ceased to use OSG-supplied user certificates, in favor of certificates issued by the CERN certificate authority (CA). Thus, ATLAS users will no longer be able to obtain user certificates from OSG. For more information, please see our certificate CA migration page.

This page is currently maintained for users in VOs other than ATLAS.

Introduction

The OSG OIM site provides pages and tools for requesting and managing grid certificates.

Note: if you attempt to update your installed certificate and have trouble accessing the renewal page, it's likely that your installed certificate has expired, in which case you'll first need to delete the existing copy of the certificate from your browser before attempting to access the renewal page again.

Requesting a Certificate

To request a new OSG certificate:

  1. Browse the the OIM User Certificate interface:
    https://oim.grid.iu.edu/oim/certificateuser
  2. To access the page, choose your existing certificate from OSG, or other CA that has issued your certificate for your current or desired VO, if applicable. If you're applying for a new certificate without an existing one, click Cancel to log in as a guest.
  3. Once logged in, click Certificate in the site top navigation menu, or browse to:
    https://oim.grid.iu.edu/oim/certificate
  4. Ensure that, in the left-hand column, your current page is indicated as "Request New" under "User Certificates". If not, click that link to go there.
  5. Under DN, ensure your name is spelled correctly.
  6. Under Sponsor, from the Virtual Organization pull-down, select your current or desired VO (ATLAS, OSG, STAR, etc.).
  7. Under Comments, add any necessary information regarding your VO status, including names of, or notes to, your VO sponsors, notes regarding your VO membership, etc.
    Your sponsor is a team leader at your home institution, or someone who can vouch for your employment at the institution and your participation in the VO.
  8. Read the OSG Policy Agreement, and toggle "I Agree" to indicate your agreement to those terms.
  9. Click Submit.
    After your request has been created, you'll be redirected to a new record of the request in the OIM My Requests section. You'll also receive an email record of the request, as well as a copy of the GOC email ticket request to the administrators of your VO for their approval.

Installing a Certificate

Once your request has been approved by your sponsor and administrators, you will receive an email containing a link to your original request.

  1. Follow the email link, or browse to the OIM My Requests page:
    https://oim.grid.iu.edu/oim/certificateuser

    Note: while it may not be strictly necessary to obtain your new certificate using the same browser with which it was requested, we recommend doing so as a result of troubleshooting certificate issues in the past.

  2. The page will contain an entry with the status of "APPROVED". Click anywhere on this entry, save for the GOC Ticket field, which contains a link to the relevant GOC ticket.
  3. On the record page, within the Next Action section, enter and confirm a password of 12 or more characters. The form will alert you if your password selection is too short or contains one or both of the following:
    • Three or more consecutive instances of the same character (e.g., '111')
    • Three or more consecutive ascending or descending single characters (e.g., '123','654')
  4. Once you have successfully entered and confirmed a password, click Issue Certificate.
  5. The site will generate the certificate and private key pair, and then create a new button entitled Download Certificate & Private Key (PKCS12) in the Certificates section. Click this button to download your new certificate/key pair in PKCS12 format.

    Note: be sure to click this button to retrieve your certificate/key file within a reasonable timeframe, and certainly before closing the browser window for this page; otherwise the server will delete the private key, and the option to download the certificate in PKCS12 format will be replaced by options to download instead in PEM and PKCS7 format.

Some applications and specific application functions, such as digital signing and encryption of email messages, may also require the installation of the proper CA certificate chain. See the appropriate section of our grid certificate FAQ for instructions on installing a CA chain, or our documentation on digital signing and encryption.

Renewing a Certificate

To renew or replace an existing, valid OSG certificate:

  1. Browse to the OIM My Requests page, providing your existing certificate in your browser as requested:
    https://oim.grid.iu.edu/oim/certificateuser
  2. Click the entry for your current, valid certificate.
  3. In the Action field, click Renew.
  4. Enter (and re-enter) a new encryption password, toggle the checkbox for the RA agreement, and click Renew.

To renew a valid certificate via command line interface (CLI), see:

If your certificate has expired, you'll first need to delete the existing copy of the certificate from your browser before attempting to access the renewal page again.

Please don’t use any certificate to authenticate to OIM other than a valid OSG certificate; if you don't have one, or yours has expired, when asked to present a certificate, click Cancel to log in as a guest.

Revoking a Certificate

In the case that your existing OSG certificate password is lost, or your certificate/key pair has been stolen or compromised, request the revocation of the certificate:

  1. Browse to the OIM My Requests page, providing your existing certificate in your browser as requested:
    https://oim.grid.iu.edu/oim/certificateuser
  2. Click the entry for your current, valid certificate.
  3. In the Next Action field, click Revoke.

Converting a Certificate

To convert the new certificate for use in grid jobs:

  1. Use the openssl pkcs12 command to convert the certificate and its key:
    openssl pkcs12 -in [your-cert-file] -clcerts -nokeys -out ~/.globus/usercert.pem
    openssl pkcs12 -in [your-cert-file] -nocerts -out ~/.globus/userkey.pem
    
    In response to each command, you will be prompted for two passwords:
    • Enter Import Password: This is the password you created when you exported your certificate from your browser.
    • Enter PEM passphrase: This is the optional Challenge Phrase Password you created when you first requested your certificate from the CA.
  2. Change permissions to protect the converted key file:
    • In Linux/UNIX/Mac:
      chmod 600 userkey.pem
      
    • In Windows:
      1. Right-click the file userkey.pem, and choose Properties.
      2. Change the Permissions settings so that you have Read and Write permissions, and that no permissions at all are selected for Group and World.

Gaining VO Membership

To gain access to virtual organization (VO) resources, and use your certificate to join a VO, see steps 3 and 4 of our Grid Certificate FAQ entry.

Adding a Certificate to a VO Membership

To add your new certificate to your existing VO membership via VOMS, see:

Certificates and VOMS in OS X

In some browsers in OS X that use the inherent system keychain for certificate storage, such as Safari and Chrome, you may see an error indicating that the browser can't verify the identity of the VOMS web site. You may need to change the "trust" settings of the CERN CA chain files, including the CERN Root CA, the CERN Trusted Certificate Authority, and the lcg-voms certificate. When you receive the error dialog, click Show Certificate, and then for each of the certificates in the chain, click Trust, and change the value of "When using this certificate" from "Use System Defaults" to "Always Trust". Alternatively, you may be able to click a check-box for Always trust "CERN Root CA" if one appears. After changing the value for all certificates in the chain, click Continue.

Additional Information

For troubleshooting and questions and answers, see:

Note that this information may change and improve as administrators grow more familiar with the new system.

For additional information, see:

Document Actions