Frequently Asked Questions
How do I renew my Agent certificate?
Go to the
Agent Renewal link and follow the instructions on
How do i stop
certificate renewal notices?
The notices continue until the certificate expiration date.
You have to revoke old certificates to end notifications;
either your RA can do that for you, or you can do it yourself
if you set up a challenge password for the certificate.
Can I request a
certificate for myself using grid-cert-request?
No. Personal certificates must be
requested using a web browser by going to DOEGrids
No. Currently there is no email
gateway into the request process. You must use the web by going
to DOEGrids Certificate service.
No. The pass phrase securing your
private key is only stored/managed by you. You must revoke your
certificate and submit a new request. Go to the revoke link on
the right to revoke your certificate and the
to request an new certificate.
The name space assigned by the DOEGrids PMA is designed to be
organizationally/site neutral to allow support to a number of
Virtual Organizations. The structure of the Name does not
imply any authorization information. No other name space will be
signed by DOEGrids or its Registration Authorities.
My favorite web browser is
XXXX. Why don't you support it?
IA number of browsers and systems have been tested, but we
can not cover all. The following table summarizes our
Mozilla/Firefox family Browser
Usable on Mac OS
Not Usable on Windows
Usable on Linux, but requires developer mode enabled
I am not a part of the the
Virtual Organizations listed on the Home page, can I have a
Only members of participating Virtual Organizations may be
issued a Certificate, all other requests will be rejected.
DOEGrids is supporting Virtual Organizations that are a part of
the Department of Energy or work with DOE. If you think
your VO would like to join DOEGrids, please send an information
request. There is a link for Info requests in the bar to your
am part of a Virtual Organization listed on the Home page but
there is no sponsor listed for my institution/Site. What should
Please email the POC listed for your
Virtual Organization and explain in detail who you are and
why you think there should be a sponsor from your institution.
He/she will work with you to handle your certificate
requirements or help set up a institutional/site agent for you.
How do I revoke my certificate?
Go to the
revoke link on the right bar and follow the instructions on
I am a DOEGrids agent, how do I revoke a
certificate I issued?
As a DOEGrids Registration Authority Agent, you have the
access and ability to revoke any certificate issued by DOEGrids.
You must be careful to select the correct certificate before
revoking it. Please follow the following steps:
Click on "Search for certificates"
Enter part of the Common name field
Look carefully at the list returned & pick out the right one.
Click on "Revoke", and fill in the reason
How do i request SSL Server Certificate request
for Apache webserver?
Please download the 'doegrids.tar' file from
Untar the distribution in to /tmp directory.
Make sure OpenSSL is really installed and in you PATH.
Create a Certificate Signing Request (CSR) with the server RSA
private key (output will be PEM formatted):
- $ openssl req
-newkey rsa:1024 -keyout server.key -keyform
PEM -out server.csr -config /tmp/doegrids/globus-host-ssl.conf.1c3f2ca8
Make sure you enter the
FQDN ("Fully Qualified Domain Name") of the server when
OpenSSL prompts you for the "CommanName", i.e when you
generate a CSR for a website which will be later accessed via
www.foo.com here. You
can see the details of this CSR via the command
- $ openssl req
-in server.csr -noout -text
Please refer the
http://httpd.apache.org/docs-2.0/ssl_faq.html for more
file has all the necessary changes to generate a SSL Server certificate request,
which is in compliance
with DOEGrids CA policy.
Add or Update DOEGrids CA certificates
You must install the CA chain, whether you have done so in past, or not.
Import both CA certificates
https://www.tacar.org/cert/install/61 (ESnet root CA)
https://www.tacar.org/cert/install/41 (DOEGrids CA)
Edit both certificates and mark them as trusted
- Restart your browser
Why must this be done?
Most browsers require the DOEGrids CA chain of certificates be in place before your personal DOEGrids
certificate can be installed, updated or used. The DOEGrids CA certificate has also been changed
recently (lifetime extended, attributes added for CERN interoperability).
Some browsers do not require this exact sequence of steps. If you are confident you know what you
are doing (or know better procedures), act appropriately. However, the changes in these certificates
will not be important for several months and the consequent errors are obscure. This is a generic
set of instructions that should work with all browsers.
Usually, only the installation of the ESnet root CA certificate is mandatory. However, there are still some
circumstances where all elements of the chain are required.
Some browsers may complain that you are reinstalling one or more already-installed certificates. It's best
to ignore this error and continue through the rest of the instructions in order to make sure
the CA certificates are properly enabled.
"Marking CA certificate as trusted" varies from browser to browser, revision to revision, platform, and even
the meaning and range varies considerably between different browsers. In some cases, the browser will ask you
for a trust decision on install; in other cases, you have to complete this as a separate step.
In Firefox, CA certificates can be found
by navigating "Tools->Options->Advanced tab->View Certificates->Authorities"; then one searches for the certificate
in the list, and then use the "Edit" tab to change trust settings. In IE, "Tools->Internet Options->Content->Certificates";
CA certificates will be found in both Trusted Root Certification Authorites and Intermediate Certification Authorities.
Editing is available with the Advanced tab.
Usually, only the ESnet root CA certificate needs to be marked as trusted. However, there may exist some
circumstances where all elements of the chain need to be trusted, or have different trust choices selected.
"Secure Connection Failed" error with error code: ssl_error_renegotiation_not_allowed. What should I do?
This error message is caused by a new feature of Firefox 4 and above. The server is (currently) unfixable; here is a browser fix.
Change the browser configuration; enter 'about:config' in the address bar (location or URL bar)
Respond to the warning message: confirm that 'I'll be careful'
Scroll down the list and look for 'security.ssl.renego_unrestricted_hosts'
Double click this entry and provide 'pki1.doegrids.org' in the popup text box.
This should fix the problem.
Another solution: follow the reference below which opens up 'ssl_renegotiation' to every host. Complete your renewal and then turn the ssl_renegotiation feature back off.
"noCert" error with Firefox/Mozilla browser during the renewal/replacement.
What should I do?
Renewal/Replacement certificate interface works based on "ssl client certificate authentication". This error message means that user is using a browser which doesn't have a valid DOEGrids certificate and its key installed. This error is also caused by not having DOEGrids CA chain installed as a Trusted CA with the Browser.