OSG PKI Certificate Renewal

Introduction

This document explains the OSG PKI certificate renewal process. This will provide a brief overview on how a user will obtain a new certificate for the same DN, but with a new expiration date and key pair.

Supported Modes of Renewal

  • Users may request renewal of their own user certificate via either a new CLI script or the web (OIM).
    • RAs may not request renewal of a user's certificate.
  • User must have valid certificate and be registered with OIM.
    • No guest/un-authenticated renewal.
  • If renewal cannot be accomplished for any reason, the user must re-request and go through the vetting process again.
  • Renewal can only be done if the vetting is less than 5-years old.
  • The user's current email address in OIM must match the email address in their certificate.
    • To comply with policy on unchanged attributes.

Certificate Lifecycle

  • 0-6 months: Certificate cannot be renewed.
    • To prevent multiple accidental renewals.
    • Note that OIM-ITB will not enforce this restriction to allow for testing.
  • 7-12 months: Certificate can be renewed.
  • 12-13 months:
    • Weekly email notifications are sent to certificate owner reminding them of renewal.
      • Once renewed, notifications will stop.
    • A single email notification is sent to the original requestor of host certificates.
  • 13 months: Certificate expires, cannot be renewed.

Note that, by policy, user vetting is required every 5 years and renewal is only possible if user has been vetting in past 5 years.

Notification

  • Starting one month from expiration, weekly reminders are sent to the user.
    • Or to the requestor of a user certificate.
  • On renewal, an email is sent to the user and relevant RAs/GAs notifying them of the renewal and asking them to contact the GOC if the renewal is unauthorized.
    • Required by policy.
    • An example of an unauthorized renewal would be a user who has left a VO.
  • The following is an example of a renewal email notification

cert_renew_email.png

OIM Certificate Renewal Page

  • User can access the certificate renewal page in OIM by clicking on the link provided at the bottom of the email notification.
  • The user will be taken to the OIM certificate renewal page. The following is an example of the page.

cert_renew_web.png

  • User will need to select the checkbox next to 'I Agree' button and click 'Next'

  • The user will need to enter a new password twice before clicking on the green 'Renew' button in the 'Next Action' section at the bottom.

cert_renew_passwd.png

  • The page will refresh and the user will then now be able to download their new certificate (pkcs12 file).

cert_renew_download.png

  • Last step for the user is to click on the blue 'Download Certificate & Private Key (PKCS12)' button and select a location to save the certificate.

Relevant Policies

Policy with regards to renewal follows. In short, a certificate can be automatically renewed if not expired, nothing has changed, it hasn't been compromised and it has been less than 5 years since manual RA vetting.

Note the last bit, email should be sent to the user on renewal.

Relevant portions of Section 4.6 of the RPS:

The OSG Operator may renew a certificate if:

  1. the associated public key has not reached the end of its validity period,
  2. the Subscriber name and attributes are unchanged,
  3. the associated private key remains un compromised, and
  4. re-verification of the Subscriber’s identity is not required under Section 3.3.1.

Section 3.3.1 says: "OSG certificates have a validity period of 13 months. OSG may rekey/renew certificates prior to their expiration date for additional 13 month periods up to a maximum of five years. OSG or a Trusted Agent revalidates the certificate information at least once every five years."

No additional verification is required if the certificate subject information has not changed and less than five years have passed since the certificate’s information was verified. A Trusted Agent must represent that the renewal request is authorized.

The OSG Operator shall use contact information provided by the Subscriber to notify the Subscriber of the certificate’s issuance.

-- AlainDeximo - 20 Nov 2013

Topic attachments
I Attachment Action Size Date WhoSorted ascending Comment
pngpng cert_renew_download.png manage 112.3 K 16 May 2016 - 16:17 NehaSharma  
pngpng cert_renew_email.png manage 99.6 K 16 May 2016 - 16:01 NehaSharma  
pngpng cert_renew_passwd.png manage 64.7 K 16 May 2016 - 16:14 NehaSharma  
pngpng cert_renew_web.png manage 176.7 K 16 May 2016 - 16:11 NehaSharma  
Topic revision: r5 - 16 May 2016 - 16:22:34 - NehaSharma
Hello, TWikiGuest!
Register

 
TWIKI.NET

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..