Fermilab Computing Division
Search

How to get a certificate

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access

How do I get a certificate?

We provide instructions for requesting certificates from both Kerberos and DOEGrids CAs, and for both personal and host/service certificates:

Once you get your certificate, read I have one, now what do I do with it?.

How do I renew my certificate?

KCA Personal Certificate
It's not really a question of renewing the same certificate, but rather of getting a new one. To get a new one, follow the same instructions as for your initial certificate. First authenticate to Kerberos. If you created a shortcut to the "get-cert" command, it's quite quick and easy, e.g., for Windows, just click on your shortcut and enter your password. For Linux run get-cert-sh -i; for Mac, run kx509, kxlist, and openssl.
DOEGrids Personal Certificate
See How to Renew a DOEGrids Personal Certificate
DOEGrids Host/Service Certificate
Currently host/service certificates are not renewable. The easiest way to get a new one when it expires is to use the (saved) original certificate request file (the .req or .REQ file) made by OpenSSL and to use it again to request a new host/service certificate.

How do I revoke my certificate?

For a KCA certificate -- No mechanism exists at this time. Since the KCA is a short-lived certificate (at most 7 days), it was decided that renewal was unnecessary. The KCA has a Certificate Revocation List (CRL) so that applications which need to find a CRL have one to reference, but the CRL is empty.

For a DOEGrids personal certificate: Go to the User Certificate Revocation page and follow the instructions. You can get to the same page by going to the https://pki1.doegrids.org/ page; select the Revocation tab.

For a DOEGrids host/service certificate, open a helpdesk ticket requesting that the RA (resident agent) revoke it. Provide identifying information for the certificate, e.g., the subject DN and validity dates.

In addition, FNAL may issue a revocation of a DOEGrids certificate if a user is no longer associated with Fermilab and was issued a certificate through a Fermilab operated VO, or if their FNAL.GOV email address is no longer valid for an issued certificate.

 

 

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)