OSG PKI Transition: From DOEGrids CA to OSG CA

OSG operates a public key infrastructure (PKI) as part of its identity management services. The goal of the PKI is to allow for authentication of users and services, and providing X.509 certificates for end users and host/services. A key component of the PKI is a certificate authority (CA), currently operated by ESNET: the DOE Grids CA. Starting from March 2013, the Certificate Authority will be transitioned from DOEgrids CA to OSG CA. From an end user and sytem admin perspective, all certificate services will be provided by the OSG CA. The OSG CA will consists of two components: the web based front-end where all our end users and system administrators will interact with, and the backend service that actually produces the certificates. OSG CA has a contract with DigiCert CA to provide for the back-end certificate services.

In March 2013, DOEGrids CA will stop issuing new certificates and renewing existing certificates. After this date anyone who needs a new certificate or needs to renew his/her existing certificate will have to follow the steps below to do so.

Let's say a certificate is set to expire in August 2013. The certificate will work fine until its expiration date. There is no need to take any action until the certificate expiration date. However, once it expires in August 2013, the certificate owner (end user or a sys admin if this is a host cert) will have to follow the steps below to get a new certificate.

Let's say a certificate is set to expire in February 2013 before DOEGrids starts transitioning. The certificate owner can renew the certificate with DOEGrids following the regular DOEGrids renewal processes. This certificate will set to expire in February 2014. Therefore, in February 2014, the certificate owner will follow the below steps to get a new certificate since the DOEgrids will no longer provide certificates.

The official announcement page from OSG is also available.

Please contact maltunay@fnalSPAMNOTNOSPAMPLEASE.gov, tiradani@fnalSPAMNOTNOSPAMPLEASE.gov, snihur@fnalSPAMNOTNOSPAMPLEASE.gov, or burt@fnalSPAMNOTNOSPAMPLEASE.gov for questions.

Impact of the Transition

This transition will have impact on everyone who uses certificates issued by DOEGrids . We will explain the impact in two separate categories: EndUsers and SysAdmins


The first category, EndUsers, will explain the impact of the transition on regular end users who use personal certificates to access CMS resources.Anyone with a personal certificate should read this page.

The second category, SysAdmins, will explain the impact of the transition in regards to systems that use service and host certificate for authentication and authorization. A system administrator who is in charge of services that need certificates and also authorizes end users to access the services based on users' certificates should read this section.

Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2012-11-16 - unknown
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    CMSPublic All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback