DOEGrids Certificate Service
SERVICE
LINKS
Home
How to Request Certificates
Policy Management Authority
Certificate Service
Renew
Revoke
Directory Service
Research and Development
SERVICE
DOCUMENTS
CP/CPS
CRLs
CA Certificates
Certificate Request Workflow
EDG Testbed 1 requirements
Frequently Asked Questions
Send Info Request
 
 

Certificate Renewal Process for Agents / RAs

Requesting/Renewing your agent certificate

  1. You should receive a renewal notice from the CA about 30 days before expiration.
  2. You must send an S/MIME signed email to Mike(helm@es.net) & Dhiva(dhiva@es.net)
  3. Attach to your email a base 64 (PEM) copy of the renewed certificate
  4. You must sign the email with either your present or renewed certificate
  5. You must use the template provided in Section A.3.3 from DOEGrids CP/CPS.

Policies that relate to your Agent Certificate:

CA/CMS policy:

  1. The agent role is tied to a particular certificate (see below).
  2. Subscription model for agents: provides evidence that you want this agent role to continue, and with what certificate.
  3. Agents can delegate the right to act in the role of agents to other certificates that they own themselves (that are bound to their identity). They cannot delegate that right to a different person, without going through the formal approval process.
  4. This renewal process demonstrates to a reasonable certainty that you still possess the original private key and that you are in control of the renewal process and renewed certificate. Signing the account update/renewal request gives us a simple demonstration of this and the links to the appropriate operations in the service.

ESnet CA managers responsibilities

  1. ESnet CA managers will verify that the enclosed certificate is appropriate for the intended task, including its link to the identity of the agent.
  2. The ESnet CA managers may, at their discretion, verify this renewal request by other means.

Nota Bene:

  1. The agent role binds an agent account to a particular certificate (serial number and key pair), or set of certificates. Renewal of a certificate in the CMS product does not automatically entitle the renewed certificate to continue in the role of agent.
  2. Renewed certificates are not valid until the moment of expiration of the original certificate. The CMS product does not allow us to add invalid (including not-yet-valid) certificates to agent accounts. Agents should expect an outage at the cross-over time, and are encouraged to contact ESnet CA management to make sure the new certificate is installed promptly.
 
DOE MICS ESnet DOEGrids Web Site