OSG PKI Transition Impact on End Users

Who is impacted?

Any user who has a personal certificate from DOEGrids CA

What is the impact?

After March 23 2013, DOEGrids CA will stop issuing or renewing certificates. Users should follow the steps outlined below to obtain certificates.

What are the next steps?

  1. If a user is entitled to get certificates from the CERN CA, we strongly recommend that the user should apply to CERN CA for a certificate. If you are a member of CMS, you should be able to get CERN CA certificates easily. We believe that obtaining CERN CA certificates will be easier than switching to OSG CA since most of the authentication will have already been done when you became a member of CMS. If the user has a CERN account, then s/he can obtain a certificate from the CERN CA automatically within a few minutes. The steps for obtaining certificates from the CERN CA are explained at PersonalCertificate.
  2. If the user is not a member of CMS and has no account at CERN, and/or is unable to obtain a certificate from the CERN CA, then they should apply to OSG CA for a certificate. The instructions on how to do so are available here
  3. After obtaining the certificate, import it into your browser and the file system. This step is not any different than what we used to do with DOEGrids CA.
  4. Register the new DN with CMS VOMS, and all other services that require certificate authentication. Your new certificate has a new Distinguished Name (DN). You must register this DN with all service providers, such as VOMS, that allow access based on users' certificate DN names. Below is a list of CMS services that require this. If you need access to these services, you should follow the steps below and register your certificate with the services.
  5. Test access with any of the services that need certificate authentication.

How to Register Your New Certificate with CMS Services

You must register your new certificate with these services to continue accessing them. Because these services authorize users based on their certificates, if you do not register your new certificate, the services will not recognize you and will not provide access to you.

  • VOMS: Please use a modern browser version, Firefox (Mozilla) is recommended.
    • If you have already registered a personal certificate (e.g., from the DOE CA) with the CMS VO in the past, and the DN from that certificate has not yet expired, then please follow these instructions for how to register an additional new personal certificate (e.g., from the CERN CA) with the CMS VO.https://twiki.cern.ch/twiki/bin/view/CMSPublic/VoRegForExistingMember (If you renew certificates, then your DN stays the same. If your certificate has expired, then a new certificate will have a new DN.)
    • If you have never registered a personal certificate with the CMS VO in the past (or don't know), or the DN from the certificate which you have registered with the CMS VO has expired (or don't know), then please follow these instructions for how to register your new personal certificate (e.g., from the CERN CA) with the CMS VO.https://twiki.cern.ch/twiki/bin/view/CMSPublic/CERNcert2VO4newVOMSuser
  • CERN Single Sign On (SSO) allows access to Twiki and Indico. Go to https://ca.cern.ch/ca/. On the left side, under User Certificates, select "Map a non-CERN certificate to your account". Follow the directions on the CERN web page.
  • REBUS.
  • GGUS
  • OIM, MyOSG, OSG Ticketing system,
  • Crab/siteDB: see https://twiki.cern.ch/twiki/bin/view/CMS/SiteDBForCRAB#Adding_your_DN_to_your_profile
  • site local storage (grant write permission on the local site storage to the new DN of the person running local PhEDEx download agents for that site).
Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r12 - 2014-01-06 - DiegoGomes
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    CMSPublic All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback