FAQ Renewing a personal certificate

From EGIWiki
Jump to: navigation, search
Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators


Q1: When does my personal certificate identify change?

Your certificate identity will change if for example:

  • you move and get a certificate from a different Certification Authority (CA)
  • your CA changes the format of your certificate Subject (or DN)
  • your CA changes its own (the Issuer) certificate Subject (or DN)

Q2: What happens if my personal certificate is renewed?

If there are no changes to the certificate identity when the certificate is renewed then no action is necessary for your VO membership.

Q3: What happens if my personal certificate identify changes?

If your the identity (the Subject or DN) of your personal certificate changes you must register the new identity in the VO(s) you are member of in order to maintain access to the Grid. The correct actions to be undertaken depend on the registration service that the VO uses (VOMS Admin or VOMSRS). Information on the type of registration service used can be obtained from the VO ID Card available from the EGI Operations Portal, or by contacting the VO Manager (VO Manager contact information is also available in the VO ID Card).

In case of VOMRS registration service

Instructions Note: DTEAM VO, ATLAS ALICE CMS and LHCb are based on a VOMRS registration service.

In case of VOMS Admin registration service

The actions depend on the VOMS Admin version. To check the version follow the these steps:

  1. Go to the VO ID Card by choosing "search by VO name"and selecting the VO you are interested in. The Operations Portal will bring you to the VO ID Card.
  2. Select "Enrollment Url" and click on it. The link brings you to the VOMS Admin page
  3. Check the version at the bottom of the page

If the VOMS Admin version is earlier than 2.5

You have to register again. This process effectively creates a new user in the VO.

With the new certificate loaded in your browser, go to the VO Registration page and submit a new request to join the VO. The VO Admin will then approve (or deny) the new request.

This process is independent of the old certificate being still valid or not. If you had any Roles or belonged to any Group those have to be re-created for the new registration by the VO manager. After the new registration is complete and any Roles reassigned, you should ask the VO manager to delete the old entry from the VO (there is no need to maintain entries that are not valid anymore). If you are the VO Administrator you will have to ask the VOMS_Server system administrator to reassign the VO-Admin Role. You can try to approve your new entry with the old certificate loaded in their browser, while this is still valid, and assign the VO-Admin Role to your (new) self.

If the VOMS Admin version is 2.5 or later

Instructions are provided in the VOMS Admin User Guide (follow the path Documentation -> User Guide -> Requesting the addition of a new certificate to the membership) [Instructions for VOMS Admin 2.6.1]

External links