How to renew an existing grid certificate, before or after it expires.
If you already have a grid certificate that is still valid but about to expire, you can replace it with a new certificate with the exact same DN as your current certificate. Renewing your existing certificate will save you the hassle of having to request a new certificate or re-register for a VO with a new certificate later on.
Transition to CERN CA
US ATLAS has ceased to use OSG-supplied user certificates, in favor of certificates issued by the CERN certificate authority (CA). For more information, please see our certificate CA migration page.
Determining certificate expiration date
You can check when your certificate is due to expire by examining it in your web browser's list of stored certificates, or check a stand-alone x509 certificate with an OpenSSL command:
openssl x509 -in your-certificate-name.pem -noout -enddate
If the certificate is encrypted in pkcs12 format, you'll first need to convert it to PEM before running the above command:
opnssl pkcs12 -in your-pkcs12-certificate-name.p12 -out your-new-pem-certificate.pem
When prompted, enter your import password and PEM passphrase, as required.
Renewing a CERN CA certificate
CERN users wanting to renew a certificate issued by CERN can simply go to the New User Grid Certificate page on the CERN CA site. Create a password to protect the certificate, and click Get Grid User certificate. The result should be a new certificate with the same DN and CA as your previous certificate, thereby effectively renewing your certificate.
Keep in mind that if your certificate is reissued as new or with a different DN than has been registered with your VO membership, you'll need to either add it to your VO membership, or reapply for membership with the new DN.
See our page on installing your certificate to install or replace existing certificate files.
Discard your old certificate
Whether you've renewed an existing certificate or requested a new one, in order to prevent confusion and avoid the possibility of compromising your grid identity, be sure to discard your old certificate and private key files (.pem or .p12 files). Do not mix your old files with your newly-obtained certificate/key pair.
For help with troubleshooting grid certificate renewal issues:
- See the Grid Certificate FAQ for commonly asked questions.
- If all else fails, open a trouble ticket in the Grid Services queue, and describe your issue in as much detail as possible.