You are here: Home User Information How-To Documentation How to for Grid Users Renewing a Grid Certificate

Renewing a Grid Certificate

by John S. De Stefano Jr. last modified Apr 25, 2017 03:48 PM
How to renew an existing grid certificate, before or after it expires.

If you already have a grid certificate that is still valid but about to expire, you can replace it with a new certificate with the exact same DN as your current certificate. Renewing your existing certificate will save you the hassle of having to request a new certificate or re-register for a VO with a new certificate later on.

Transition to CERN CA

US ATLAS has ceased to use OSG-supplied user certificates, in favor of certificates issued by the CERN certificate authority (CA). For more information, please see our certificate CA migration page.

Determining certificate expiration date

You can check when your certificate is due to expire by examining it in your web browser's list of stored certificates, or check a stand-alone x509 certificate with an OpenSSL command:

openssl x509 -in your-certificate-name.pem -noout -enddate

If the certificate is encrypted in pkcs12 format, you'll first need to convert it to PEM before running the above command:

opnssl pkcs12 -in your-pkcs12-certificate-name.p12 -out your-new-pem-certificate.pem

When prompted, enter your import password and PEM passphrase, as required.

Renewing a valid certificate

If you use a web browser to renew your certificate, you must have your existing, to-be-replaced certificate loaded into the same browser. Please double-check your certificates. Furthermore, you may need to have valid certificate authority (CA) chains installed in your web browser as well (see instructions at Import Certificate Chain).

To renew a current CERN-issued certificate that has not yet expired, browse to the CERN CA user certificate page and request a "new" certificate, which will generate an updated version of your current certificate with the same DN.

To renew a current OSG-issued certificate that has not yet expired, see the instructions on this page.

Renewing an expired certificate

When your OSG certificate is about to expire, you should receive an email reminder from OIM to renew it. Should you let the certificate expire, you'll receive another email from OIM to inform you of its expiration. That expiration email message should contain a link to a URL for certificate management, which includes a function called a "Re-Request". Click the Re-Request button on that page to request that your expired certificate be reinstated.

If you are unable to connect to the site after certificate expiration, or if you receive an SSL or authentication error, please delete the expired certificate from your browser, and try again.

Please don’t use any certificate to authenticate to OIM other than a valid OSG certificate; if you don't have one, or yours has expired, when asked to present a certificate, click Cancel to log in as a guest.

Renewing a CERN CA certificate

If your grid certificate was issued by CERN, you'll need to follow up with them via ca.cern.ch.  Unfortunately, we don't have additional insight into, nor sway with, the CERN certificate process.  Keep in mind that if your certificate is reissued as new or with a different DN than has been registered with your VO membership, you'll need to either add it to your VO membership, or reapply for membership with the new DN.

Discard your old certificate

Whether you've renewed an existing certificate or requested a new one, in order to prevent confusion and avoid the possibility of compromising your grid identity, be sure to discard your old certificate and private key files (.pem or .p12 files). Do not mix your old files with your newly-obtained certificate/key pair.

Troubleshooting

For help with troubleshooting grid certificate renewal issues: