Frequently Asked Questions: Grid Certificate Requests, Installation, and Use
While these instructions have been created largely for the benefit of ATLAS Virtual Organization (ATLAS VO) members mainly within the United States, members of other VOs may find them useful and should substitute their VO and certificate authority (CA) as appropriate.
Grid Certificate issues:
- Replace expiring/expired certificate
- Obtain new certificate
- Renew an expiring/expired certificate
- Errors regarding unknown CAs when installing grid certificate
- VOMS error regarding bad certificate or unable to access site
- SSL errors when using VOMS or other cern.ch pages
- Retrieve another copy of existing OSG certificate
- Compromised certificate key pair
- Forgot certificate passphrase
- "Expired" certificate that has not expired
- "Certificate exists in VO database" error
- VO sending emails regarding expiring membership
- Log in to GGUS after expired or changed certificate
- Troubleshoot renewing VO membership
- Import certificate or key from Safari or another macOS application
- Certificate-Key Management in Windows
- Adding another certificate to VO membership
- "Certificate already bound!" errors
- Contact about certificate request
- Additional assistance
VO Membership Issues:
- Re-sign VO AUP
- Renew VO membership
- Change institutional status or expiration date
- Request role or membership in VO group
- Restore expired or suspended VO membership
- DDM errors
- VO membership with AMI, Rucio, or another CERN or ATLAS service
How do I replace an expiring/expired certificate with a new certificate from a different CA?
To replace an expiring certificate from a previous CA (e.g., DOEGrids/DigiCert) with a new certificate from a new CA (e.g., CERN):
- Obtain and install a new certificate. For U.S. users, refer to: Obtaining a Grid Certificate.
- Add the new certificate to an existing VO membership and set it as the primary certificate: How to Add Certificates to a VO Membership.
- For ATLAS data transfers and grid work, ensure that the user's "nickname" field in VOMS (Virtual Organization Membership Service) exactly matches the CERN user account login name. Also, ensure the email entry in VOMS matches the email associated with the CERN user account.
- If the preceding steps do not work for ATLAS and the user has multiple certificate distinguished names (DNs) or VO identities listed in VOMS, email the VO admins to request that your ATLAS VO profiles be merged. Be sure to specify which certificate DN should be listed as your primary.
For more detail about ATLAS VO steps, refer to Joining the ATLAS VO.
How do I obtain a new grid certificate?
Follow the instructions for Obtaining a Grid Certificate.
How do I renew an expiring/expired grid certificate?
Follow the instructions for Renewing a Grid Certificate.
Unfortunately, if a certificate linked with an existing VO membership has expired, is no longer available to the user, or the user can no longer log into VOMS with it, the person will need to obtain a renewed or new certificate. If the DN or CA in the new or renewed certificate does not match those of the certificate registered to the user's VO membership, she/he will need to request that the new certificate be added to an existing VO membership as explained in How to Add Certificates to a VO Membership.
You can check your certificate for its expiration date by viewing its attributes in your browser or OS's certificate store, or with an `openssl` command like the following:
openssl x509 -in ~/.globus/usercert.pem -dates | grep After
How do I address errors regarding unknown certificate authorities in installing my grid certificate?
When installing a certificate, users may receive a warning or error similar to one of the following:
- This certificate cannot be verified and will not be imported.
- The certificate issuer might be unknown or untrusted.
To address this problem, users may need to add an exception to permit their browser to connect to the site or install the CA chain for the certificate issuer (refer to How to Import a CA Certificate Chain).
Why does VOMS complain about a "bad certificate" or prevent me from accessing the site?
VOMS uses the grid certificate to authenticate and authorize users for VO groups and services. If a grid certificate is not installed in a user's browser, the certificate has expired, or the certificate is otherwise no longer valid, VOMS cannot authenticate users and will not grant them access. Users may receive errors referring to a "bad certificate," "bad_cert," or complain about connection timeouts or resets. In such cases, please install a grid certificate in the browser or renew the certificate if it has expired.
How do I address SSL errors, such as "SSL peer cannot verify your certificate," when using VOMS or other cern.ch pages?
As the CERN CA is not globally known by default, users need to either add an exception in their browser to allow SSL connections from cern.ch or download, install, and "trust" the CERN certificate from: https://ca.cern.ch/ca/.
To view instructions for installing and trusting the CA certificate, follow the help pages appropriate for the web browser.
VOMS and Safari
When using the Safari browser, if users receive an error stating that the browser cannot establish a secure connection to the server, it is likely the current version of VOMS is incompatible with that version of Safari. Please use another browser for VOMS connections, such as Chrome or Firefox.
How do I re-sign the VO AUP?
If the acceptable use policy (AUP) agreement has expired or needs to be re-signed, please visit this link: https://lcg-voms2.cern.ch:8443/voms/atlas/aup/sign.action.
Note: The link currently being sent from VOMS with AUP reminders seems to be broken in that it has no effect on AUP status or renewing VO membership.
Is it possible to retrieve another copy of an existing, valid Open Science Grid (OSG) certificate?
Yes, but only in PEM and PKCS7 formats—not in PKCS12 after an initial retrieval session has ended.
Click anywhere on the record for a certificate request, save for the GOC Ticket field, which contains a link to the relevant GOC ticket. From the ensuing page, under Certificates, there are buttons for downloading a certificate in PEM or PKCS7 formats.
Note: PEM and PKCS7 formats do not include copies of a user's private key. While users may be able to import them into a browser, they will not be able to extract their individual private key from them for grid use. If the private key for a certificate has been lost or is not available, users may need to revoke that certificate, request a new one, and download that new certificate in PKCS12 format. As this process likely will disrupt a user's VO membership, use this option with caution as a "last resort."
What should I do if I suspect that my grid certificate key pair has been compromised (certificate and/or key file stolen, certificate passphrase hacked, etc.)?
If users suspect a certificate has been compromised, they should immediately report to OSG to protect their grid identity. However, this procedure should not be taken lightly and is meant to be used only in the case of compromise as the procedure renders a certificate unusable and cannot be reversed.
- Browse to the OSG PKI Certificate Management page.
- Click the Revoke button.
- Under Next Action, type Key Compromise in the required text area then click Revoke.
- Follow the instructions for Renewing a Grid Certificate to request a replacement. Specify in the Additional Comments field that the certificate was compromised and its revocation is requested.
What should I do if forget my certificate passphrase?
Unfortunately, there is little that can be done to recover the passphrase entered when users generate their certificate request—only each user knows her/his passphrase as it is not passed on to the CA with a request. If users forget their passphrase, there are two "recovery" options: 1) recover the passphrase by memory or 2) use the grid certificate compromise procedure to renew the certificate, taking extra care to record the passphrase.
How do I fix an "expired" certificate that has not actually expired?
When a specific CA is not universally installed in all browsers, as with DigiCert-Grid, any certificates signed by that authority must be accompanied by a valid CA chain file. If a user is certain that she/he has a valid, non-expired certificate and the browser rejects said certificate as "expired," the culprit may be an invalid, expired, or non-existent CA chain. Please check the browser's Authorities certificate list for a DigiCert-Grid entry.
- If this entry does not appear in the list, refer to How to Import a CA Certificate Chain for instructions about how to install it into the browser.
- If it exists but has expired, remove and reinstall it using the instructions also found in How to Import a CA Certificate Chain.
How do I renew a VO membership?
Before a VO membership expires, users should receive an email notification from VO administration. Follow the instructions in this email to view the rules for VO membership and re-sign the AUP form.
If users have deleted, ignored, or not received the notification email and their membership has expired, try this link to go to the VOMS user home (browser may prompt users to make an exception for the cern.ch SSL certificate), scroll down to Your AUP Acceptance Status, and click Request AUP reacceptance. If this fails, users will need to open a trouble ticket (Reporting Problems) in the Grid Services queue (RT-RACF-GridServices@bnl.gov) and ask the Grid group to request that ATLAS reinstate the VO membership on their behalf.
I renewed my certificate, but VOMS complains that it "already exists in the VO database. DN should be unique."
If users have the same DN in their certificate, but the CA has changed (e.g., CERN's CA changed in 2014), they will need to add the new certificate to their existing membership using the same DN and new CA (explained in How to Add Certificates to a VO Membership). If users no longer have their "old" certificate and only have the new certificate with a new DN, they will need to email the VO admins to have the new certificate added or to register the new certificate as a new membership.
I have a new certificate and new VO membership. Why does the VO continue to email me regarding my expiring membership?
Users can obtain a new certificate and request a new VO membership without adding their new certificate to an existing membership. In this case, users will have two (or more) separate membership entities, one tied to each certificate. Thus, users may continue to receive notifications related to the membership tied to their previous certificate(s). If no longer using the older certificate and the user can verify in VOMS that the current membership is valid, these emails can be ignored until the prior membership simply expires.
How do I change my institutional status or expiration date? Or, VOMS claims my institutional membership is about to expire! How do I prevent my VO membership from also expiring?
As ATLAS VO institutional affiliation data are pulled directly from the CERN HR accounts database, users need to address this with CERN. Users can verify their current affiliation on the CERN account management page and contact the CERN Users Office or experiment's secretariat with any questions or concerns.
How do I request roles or membership in a VO group?
Refer to the information for Joining the ATLAS VO.
How do I restore an expired or suspended VO membership?
A VO membership is tied to the CERN user account. If there is an interruption in a user's CERN employment or contract or it expires, it will trigger a suspension of the VO membership. Check with the CERN Users Office to verify that a CERN account and contract are in good order. Once the CERN account has been verified, email the VO admins to request restoration of a VO membership.
How do I address Distributed Data Management (DDM) errors?
Rucio, an ATLAS DDM tool, may report that the Rucio account name or DDM nickname has not been properly set. To address this, before making a DDM request, users should set their nickname as shown in Step 2 of the Grid Resource Guide.
There have been reports of issues with ATLAS DDM and certificate DNs containing email addresses, specifically the '@' character. A certificate may pass all diagnostic checks, yet DDM requests may fail. It may help to obtain a certificate from CERN’s CA and add it to a VO membership for use with DDM.
How do I log into Global Grid User Support (GGUS) if my certificate has expired or changed?
The GGUS support site associates user site privileges with a certificate DN, but it does not check VO membership for a DN entry. Instead, GGUS stores or records the DN locally with the GGUS service. Thus, if the certificate registered with GGUS expires or becomes otherwise invalid, users can log into the site with another certificate DN, but they will lose their account settings and any site privileges associated with their previous DNs. In this case, users should contact GGUS support and ask them to add the new certificate DN to an existing GGUS account or to merge accounts if more than one account is associated with multiple certificate DNs.
Why doesn't my VO membership work with ATLAS Metadata Interface (AMI), Rucio, or another CERN or ATLAS services?
While various services may use VOMS for authentication, VOMS does not control how this authentication is implemented. If a VO membership is current and valid yet users still are having trouble with the AMI service or interface, try the AMI validation page to confirm certificate and service membership. The page also includes instructions, troubleshooting information, and contacts.
Note that the AMI Manager role currently is not in use. If a specialized role for AMI is needed (e.g., to create AMI tags), please contact the AMI group.
If a VO membership does not work with Rucio or its web interface, contact the ATLAS DDM support list for help in adding or mapping a new certificate.
Follow the Troubleshooting steps in the User Guide for Grid Resources page to help debug problems accessing some of these services.
How do I troubleshoot problems while renewing my VO membership?
If users receive strange errors while renewing a VO membership, such as "Your certificate was rejected" or "Error code-12224," review the following:
- Check the certificate in the browser to ensure that the correct certificate is being used and is not expired.
- Check the CA certificates in the browser to ensure they are properly installed (How to Import a CA Certificate Chain) and have not expired.
How do I import or export my certificate or key from Safari and other macOS applications?
Refer to: Certificate and Key Management in macOS.
How is Certificate-Key Management in Windows done?
Refer to: Certificate and Key Management in Windows.
I have multiple certificates from different CAs. How do I add another one to my VO membership?
Refer to: How to Add Certificates to a VO Membership.
How do I mitigate "Certificate already bound!" errors when adding a certificate to VOMS?
Refer to the "Certificate already bound! errors" subsection within How to Add Certificates to a VO Membership.
I requested a certificate and have not received a response, or I need more information about my request. Whom should I contact?
Unfortunately, SDCC is not responsible for the administration of grid certificate requests. Instead, this information is provided to assist users with VO registration and access issues.
Please contact the OSG Operations Center:
- +1 317-278-9699
- goc [at] opensciencegrid.org
- Submit a GOC help ticket [[THIS SITE NEVER LOADED FOR ME. IT KEPT TIMING OUT. PLEASE CHECK.]]
I am still having trouble with my grid certificate. What should I do?
- When renewing an existing certificate: if users do not renew via the same browser used to request the original certificate, they may not be able to renew the certificate properly as, according to the new browser, the previous certificate does not exist. To renew using another browser (or some earlier versions of the same browser), first import the existing certificate from the file system or old browser into your new browser (Installing Your Grid Certificate).
- For problems with obtaining grid certificates after completing an application: contact the OSG Operations Center.
If none of this helps to address a facility-related problem with your grid certificate, open a trouble ticket (Reporting Problems) in the Grid Services queue (RT-RACF-GridServices@bnl.gov) and describe the specific issue.