New certificates for the new year

The DOEGrid Certificate Authority is about to turn off. Individuals that use DOEGrid certificates to identify themselves on the Internet will soon need to get their certificates from a different place.

If you ever need to securely identify yourself on the Internet, you need to be aware of upcoming changes involving certificates. Both individuals and computers that use certificates to identify themselves to others must take action soon, as the DOEGrid Certificate Authority (CA) is about to turn off. After March 1 it will no longer issue or renew certificates, and so lab users who need new or renewed certificates will need to get them elsewhere. (Note that any existing DOEGrid certificates will remain valid for their full lifetime.)

Most Fermilab users and computers have obtained their certificates from either the Fermilab Kerberos Certificate Authority, which generates short-lived certificates (good up to one week) based on your Fermilab Kerberos account, or the DOEGrid CA, which delivers longer-lived certificates (good up to one year) to both users and computers for a variety of purposes. The turning off of the DOEGrid CA will require users to get their certificates from a different place. The Open Science Grid consortium, which has provided grid infrastructure to the U.S. scientific community for a number of years, has arranged for a commercial certificate provider (DigiCert) to issue certificates. Users will soon be able to get new DigiCert Grid certificates to replace their DOEGrid certs by following the link below. Service providers can get new host certificates in the same manner.

But there are a few additional tasks. First, users will need to tell places that have been accepting their old certificates that they are now using a different certificate. This process will usually be handled by the virtual organization (typically an experimental collaboration like CMS, CDF or DZero), but in some cases the users will need to re-register themselves to some services with their new certs. Service providers will need to modify which user certs they will accept. Finally, both service providers and users will need to add the DigiCert Grid CA to the list of trusted certificate authorities in their Web browsers to prevent the generation of annoying messages that a service is showing an “untrusted certificate.” In most cases, the latter will be handled by the Deskside Services support group.

Full details about all required actions can be seen on the Fermilab PKI transition Web page.

Irwin Gaines