"Please be aware that from now on GridKa-CA certificates will be issued only on Monday, Wednesday and Friday afternoon."
Application is possible any time!
The CA portal at GridKa now supports the Crypto-API of recent browser such as
The Grid user certificate request procedure stores the private key (which YOU AND ONLY YOU possess) in the internal database of your browser. The private key MUST NOT get lost because it can not be recovered.
Please make sure that your Firefox browser is NOT UPDATED or reinstalled during the request/retrieval procedure!
Please NEVER ever spawn a SECOND request in the GridKa portal unless you are asked to do so!
Every new request generates work at GridKa because every single certificate request must be processed manually at a secure computer outside any network.
The DESY RA can be reached via firstname.lastname@example.org.
On order to access global Grid resources, users must hold a valid personal Grid user certificate (authentication) AND users must be member of a Virtual Organization (VO) (authorization).
A valid Grid user certificate is a prerequisite to request membership in a VO. Users usually have one Grid user certificate. Multiple VO membership is possible.
A Grid user certificate (format X509) consists of a private key with a private password and a certified public key. The private key and the password is exclusively possessed by the user and is NOT known to the Registration Authority (RA) or Certification Authority (CA) at any stage.
A certificate is valid for one (1) year and can be renewed. Users get notified by the CA via email three (3) weeks before the expiration date. It is strongly recommended to renew the certificate before its expiration.
The most frequent user issues for requests are:
A Grid user certificate can be seen as an analogy to a passport, whereas the VO membership compares to a visa.
If you observe problems to obtain a proxy via 'voms-proxy-init', inspect your certificate as described at the bottom of this pages.
In Germany Grid user certificates are issued by the GermanGrid Certification Authority (CA) at GridKa in Karlsruhe. The GridKa CA is part of the The International Grid Trust Federation (IGTF) hence Grid user certificates are accepted by all Grid sites in WLCG. In order to facilitate the request procedure, many institutions in Germany operated Registration Authorities (RA) which take over the necessary paper-work on behalf of the CA.
According to the GridKa policy, a user must be member (e.g. employee) of and located at the institute or university of which they request a Grid user certificate from (via the RA). This is necessary to contact users in case of security issues and to prove identity. This applies also for renewals. If the user changes group, institute or university, the new RA is in charge of approving certificates.
In the past the DESY RA approved Grid user certificate request also for guest scientist permanently located at DESY because their home institutions/countries did not have CAs. Since all institutions/countries do have CAs, please refer to The International Grid Trust Federation (ITGF) to find the relevant CA of your home institution.
Non-DESY users in Germany might find their responsible RA in the RA List of GridKa.
Users with non-German home institutions refer to ITGF.
For the FIRST certificate request at DESY ONLY!: We have to know you and your identity! Therefore you need to:
This step is done electronically via browser, both for the first certificate request and for any subsequent renewals. For your name, please do not use capital letters only.
Please use a DESY email address (email@example.com)!
Please use a recent browser. Konquerer and Microsoft Edge are NOT supported. See GridKa FAQ.
Please do NOT send copies of your passport and/or ID card around.
Please do not issue a second certificate request in the GridKa portal unless you are asked to do so, e.g. because your request is erroneous.
|In case you extend your certificate please make sure you chose the same DN, as the current one is probably already registered with a VO. A changed DN requires to re-register with the VO(s).|
For some special cases such as regularly running services, which need authentication/authorization though proxies, a so-called robot certificate can be used. This is clearly a non-standard case for experts only!
Robot certificates can be requested via the GridKa portal as 'Host/ Service/ Robot Zertifikate' by a user. Make sure they contain the word 'Robot' in the CN, e.g.:
Technically a new private/public key pair is created with every renewal.
Preferences -> Privacy & Security -> Certificates -> View Certificates -> Your Certificates (-> Backup)
Please make sure your public (usercert.pem) and private (userkey.pem) keys are:
> cd ~/.globus > ls -l ~/.globus -r--r--r-- 1 xxx yyy 1728 8. Apr 09:36 usercert.pem -r-------- 1 xxx yyy 2012 8. Apr 09:36 userkey.pem > openssl x509 -subject -issuer -dates -noout -in usercert.pem subject= /C=DE/O=GermanGrid/OU=DESY/CN=NNNN issuer= /C=DE/O=GermanGrid/CN=GridKa-CA notBefore=Mar 29 16:32:00 2019 GMT notAfter=Apr 27 16:32:00 2020 GMT > openssl x509 -noout -modulus -in usercert.pem | openssl md5 > openssl rsa -noout -modulus -in userkey.pem | openssl md5
The private key is created by the browser when the request is issued on the GridKa portal page and is therefore stored in that particular browser. Hence the certified public key must be retrieved from GridKa with the same browser which was used for the request.
A lost private/public keys or the password can not be recovered by any means by the CA or RA.