DOEGrids Certificate Service

How to Request Certificates
Policy Management Authority
Certificate Service
Directory Service
Research and Development
CA Certificates
Certificate Request Workflow
EDG Testbed 1 requirements
Frequently Asked Questions
Send Info Request

Certificate Renewal Process for

Registration Authorities and Agents

Requesting/Renewing your agent certificate

  1. You should receive a renewal notice from the CA about 30 days before expiration.
  2. You must send an S/MIME signed email to
  3. Attach to your email a base 64 (PEM) copy of the renewed certificate
  4. You must sign the email with either your present or renewed certificate
  5. You must use the template provided in Section A.3.3 from DOEGrids CP/CPS.

Policies that relate to your Agent Certificate:

CA/CMS policy:

  1. The agent role is tied to a particular certificate (see below).
  2. Subscription model for agents: provides evidence that you want this agent role to continue, and with what certificate.
  3. Agents can delegate the right to act in the role of agents to other certificates that they own themselves (that are bound to their identity). They cannot delegate that right to a different person, without going through the formal approval process.
  4. This renewal process demonstrates to a reasonable certainty that you still possess the original private key and that you are in control of the renewal process and renewed certificate. Signing the account update/renewal request gives us a simple demonstration of this and the links to the appropriate operations in the service.

ESnet CA managers responsibilities

  1. ESnet CA managers will verify that the enclosed certificate is appropriate for the intended task, including its link to the identity of the agent.
  2. The ESnet CA managers may, at their discretion, verify this renewal request by other means.

Nota Bene:

  1. The agent role binds an agent account to a particular certificate (serial number and key pair), or set of certificates. Renewal of a certificate in the CMS product does not automatically entitle the renewed certificate to continue in the role of agent.
  2. Renewed certificates are not valid until the moment of expiration of the original certificate. The CMS product does not allow us to add invalid (including not-yet-valid) certificates to agent accounts. Agents should expect an outage at the cross-over time, and are encouraged to contact ESnet CA management to make sure the new certificate is installed promptly.

$Id: AgentRequest.html,v 1.5 2010/07/19 22:53:43 helm Exp $

DOE MICS ESnet DOEGrids Web Site