You are here: Home User Information How-To Documentation How to for Grid Users Renewing a Grid Certificate

Renewing a Grid Certificate

by John S. De Stefano Jr. last modified Nov 08, 2019 10:56 AM
How to renew an existing grid certificate, before or after it expires.

If you already have a grid certificate that is still valid but about to expire, you can replace it with a new certificate with the exact same DN as your current certificate. Renewing your existing certificate will save you the hassle of having to request a new certificate or re-register for a VO with a new certificate later on.

Transition to CERN CA

US ATLAS has ceased to use OSG-supplied user certificates, in favor of certificates issued by the CERN certificate authority (CA). For more information, please see our certificate CA migration page.

Determining certificate expiration date

You can check when your certificate is due to expire by examining it in your web browser's list of stored certificates, or check a stand-alone x509 certificate with an OpenSSL command:

openssl x509 -in your-certificate-name.pem -noout -enddate

If the certificate is encrypted in pkcs12 format, you'll first need to convert it to PEM before running the above command:

opnssl pkcs12 -in your-pkcs12-certificate-name.p12 -out your-new-pem-certificate.pem

When prompted, enter your import password and PEM passphrase, as required.

Renewing a CERN CA certificate

CERN users wanting to renew a certificate issued by CERN can simply go to the New User Grid Certificate page on the CERN CA site. Create a password to protect the certificate, and click Get Grid User certificate. The result should be a new certificate with the same DN and CA as your previous certificate, thereby effectively renewing your certificate.

Keep in mind that if your certificate is reissued as new or with a different DN than has been registered with your VO membership, you'll need to either add it to your VO membership, or reapply for membership with the new DN.

See our page on installing your certificate to install or replace existing certificate files.

Discard your old certificate

Whether you've renewed an existing certificate or requested a new one, in order to prevent confusion and avoid the possibility of compromising your grid identity, be sure to discard your old certificate and private key files (.pem or .p12 files). Do not mix your old files with your newly-obtained certificate/key pair.

Troubleshooting

For help with troubleshooting grid certificate renewal issues: