This site requires JavaScript to be enabled


The Fermilab KCA service reached its end-of-life on Sept. 30, 2016. After this date, Computing will support this service on a best-effort basis until Jan. 31, 2017, when the KCA service will be turned off.  With the exception of DocDB, there should not be any Fermilab websites, applications or services that currently require a KCA certificate for access. Computing is in the process of transitioning DocDB off of KCA certificates.

If you notice that any of the Fermilab websites, applications or services you use (except DocDB) still require a KCA certificate, submit a Service Desk ticket so they can be transitioned to a different form of authentication as soon as possible.


How to get a personal OSG certificate as a Fermilab staff or user 

If you need to renew a personal OSG certficate before it expires, please go to How to Renew an OSG Personal Certificate.

Basic Requirements

Before you get your OSG PKI Personal Certificate

Before starting, determine which Virtual Organization (VO) and sponsor to choose. The approval process depends on what your VO affiliation is, and in some cases, for what purpose you plan to use the certificate. Once you get a certificate, you can of course use it for any purpose.   Selecting the VO is dependent on several factors. Major experiments such as CDF, D0, CMS and LBNE have their own VOs while other Fermilab-based experiments are handled as Fermilab/<experiment> subsidiary VOs.  Finally, Fermilab is available as its own VO primarily for Fermilab staff and users without any other VO affiliation.  If you need further information in selecting a VO go to Which VO should I choose for more information to help you in choosing which VO to select.

Note that an OSG certificate is valid for one year. You will receive email notification from OSG prior to certificate expiration so that you can renew it.

How to request an OSG certificate


Get your certificate and import it into your browser

You will receive an email message from OSG PKI stating whether your request was approved or denied. If you don't get this email message within 24 hours, call the Service Desk at (630) 840-2345 (Service Desk Office Hours). They will need the request number in order to follow up (you will receive a Ticket Creation Notification from the OSG which contains the request number).  Instructions on importing your certificate into various browsers and mail clients can be found in How to import and export personal and CA certificates.


Using Globus tools for submitting grid jobs from Linux/UNIX

If you will be using Globus tools to run grid jobs from a Linux or other UNIX machines, you need to get a proxy certificate. To do so, your certificate and user key need to be in PEM format. To convert them from their original PKCS#12 format to PEM:


Which Virtual Organization (VO) should I choose?

You can see a list of all the VOs by going to the OSG Virtual Organizations page. Clicking on a VO in this list will take you to a page with more details on that VO. Typically, if you are part of an experiment, you will likely want to select your experiment's VO as your sponsoring VO. If your VO appears in the list of VOs at, then select "Fermilab" from the pull down menu.

Authored by Fang Wang
Last modified 6 months ago