This site requires JavaScript to be enabled
Knowledge Home|Create Incident|Print
How To > How to get a personal OSG certificate as a Fermilab staff or user
How to get a personal OSG certificate as a Fermilab staff or user
Article: KB0010815 Published: 2013-01-22 Last modified: 2017-06-28


The Fermilab KCA service reached its end-of-life on Sept. 30, 2016. After this date, Computing will support this service on a best-effort basis until Jan. 31, 2017, when the KCA service will be turned off.  With the exception of DocDB, there should not be any Fermilab websites, applications or services that currently require a KCA certificate for access. Computing is in the process of transitioning DocDB off of KCA certificates.

If you notice that any of the Fermilab websites, applications or services you use (except DocDB) still require a KCA certificate, submit a Service Desk ticket so they can be transitioned to a different form of authentication as soon as possible.


How to get a personal OSG certificate as a Fermilab staff or user 

If you need to renew a personal OSG certficate before it expires, please go to How to Renew an OSG Personal Certificate.

Basic Requirements

  • The latest version of all major browsers (SeaMonkey, Firefox, Internet Explorer, Chrome and Safari) are supported.

  • One exception to the above is that Internet Explorer 8 is supported in IE9 compatibility mode.

Before you get your OSG PKI Personal Certificate

Before starting, determine which Virtual Organization (VO) and sponsor to choose. The approval process depends on what your VO affiliation is, and in some cases, for what purpose you plan to use the certificate. Once you get a certificate, you can of course use it for any purpose.   Selecting the VO is dependent on several factors. Major experiments such as CDF, D0, CMS and LBNE have their own VOs while other Fermilab-based experiments are handled as Fermilab/<experiment> subsidiary VOs.  Finally, Fermilab is available as its own VO primarily for Fermilab staff and users without any other VO affiliation.  If you need further information in selecting a VO go to Which VO should I choose for more information to help you in choosing which VO to select.

  • Fermilab employees, visitors, and contractors are eligible to get OSG PKI certificates under the auspices of Fermilab as long as they have a valid Fermilab ID. Fermilab users (other than CDF, D0, CMS and LBNE as discussed above) are asked to choose Fermilab as their VO, and their supervisor as their sponsor.

  • Everyone needs to install the OSG CA (Certificate Authority) certificates into your browser. This will happen automatically when you retrieve your certificate as a package (an encrypted PKCS12 file) with multiple parts. This package will include your individual certificate as well as the two necessary OSG CA certificates.  However you can also find instructions at Trusting Certificates and CA Certificate Downloads.

Note that an OSG certificate is valid for one year. You will receive email notification from OSG prior to certificate expiration so that you can renew it.

How to request an OSG certificate

  • You will fill out the form at OIM User Certificate Request to request a personal certificate from the OSG PKI.   The Getting a User Certificate via Web interface page contains instructions on how to fill out the OIM User Certificate Request form. Please review this documentation before proceeding. (Note: When accessing OSG documentation, the OSG TWiki will check for certificates.  You may see a certificate selection dialog box appear. If so, you can safely click the "Cancel" button to dismiss the dialog since all the documentation is world readable.)  The OSG PKI Documentation Index is a catalog of the PKI related documentation pages at the OSG site.

  • Go to the OIM User Certificate Request form. If you have a KCA or another personal certificate loaded, you may receive a dialog box to select a certificate.  You can safely click the "Cancel" button for any certificate selection dialog.  If you do not see the User Certificate Request web form, you can click "Request New" under the "User Certificates" menu on the left side of the page.  Please note the following when using this site and filling out the form

    • If you got a certficate-selection dialog box when entering the OIM site and you selected a certificate (i.e., either your KCA or personal DOEGrids certificate) and clicked OK rather than Cancel, then you must take care to make the same certificate selection when you go to the site to retrieve your certificate by clicking on the link in the email you will receive from the OSG.
    • Optionally you can check the box labelled Use OSG TWiki if you wish to post to the OSG Wiki. Usually this is not necessary.

    • Choose a password: You must choose a password (to be entered twice) as this will be needed when you retrieve your certificate to decode the PKCS#12 package containing your personal certificate, private key and the CA certificates to be imported into your browser.

      • Remeber the password you select, without it you will not be able to retrieve your certificate from the OSG nor will you be able to decrypt the PKCS#12 package after you have downloaded it.
    • Sponsor: If you are not sure which VO to choose, you can always select the generic Fermilab VO as a Fermilab staff or user.

    • You must read the OSG Policy Agreement.  Pay particular attention to the items in Section 1 of this document.  You then must click "I AGREE" before you can proceed.

  • OSG will return your certificate in a package (called a PKCS#12 file usually with extension .p12) which will include your personal certificate, your private key (your public key is in your certificate) and the CA certificates for the OSG CA that issued your certificate. You will likely want to keep this .p12 file in order to import your certificate into other browers and/or mail clients on this or other systems. You can also find, in what follows, information on exporting your certificate and private key in case you misplace the .p12 file or choose not to save it.  If you do save the .p12 file, please secure it properly since it contains sensitive information (your private key).  Primarily this means to avoid network-accessible storage (such as shared Windows volumes) and to change the permissions on the file so other users cannot access the file.  Offline storage, such as a USB Flash Drive, is preferred.


Get your certificate and import it into your browser

You will receive an email message from OSG PKI stating whether your request was approved or denied. If you don't get this email message within 24 hours, call the Service Desk at (630) 840-2345 (Service Desk Office Hours). They will need the request number in order to follow up (you will receive a Ticket Creation Notification from the OSG which contains the request number).  Instructions on importing your certificate into various browsers and mail clients can be found in How to import and export personal and CA certificates.


  • If you are using SeaMonkey or Firefox and have set a Master Password on your Software Security Device (the password and certificate database), a dialog box requesting the Master Password may appear. If so, enter the password to permit the importation of the certificate.

  • To export your certificate, go to How to Import and Export (Backup) a Personal Certificate into and from Applications .  You need to export your certificate for re-importation to other browsers and other machines you use.  This is also a way to backup and save your certificate. But remember that the PKCS#12 package contains sensitive information (your private key) and should be stored in a secure manner.

Using Globus tools for submitting grid jobs from Linux/UNIX

If you will be using Globus tools to run grid jobs from a Linux or other UNIX machines, you need to get a proxy certificate. To do so, your certificate and user key need to be in PEM format. To convert them from their original PKCS#12 format to PEM:

  • Export your certificate from your browser.

  • Convert the certificate using the openssl command as shown (use your actual .pl2 certificate filename with no angle brackets; use the output name usercert.pem as shown):
    openssl pkcs12 -in <YourCert>.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
  • To get the encrypted private key (again use your actual .pl2 certificate filename; use the output name userkey.pem as shown):
    openssl pkcs12 -in <YourCert>.p12 -nocerts -out $HOME/.globus/userkey.pem

  • You must set the mode on your userkey.pem file to read/write only by the owner, otherwise grid-proxy-init will not use it (use the command chmod go-rw $HOME/.globus/userkey.pem )


Which Virtual Organization (VO) should I choose?

You can see a list of all the VOs by going to the OSG Virtual Organizations page. Clicking on a VO in this list will take you to a page with more details on that VO. Typically, if you are part of an experiment, you will likely want to select your experiment's VO as your sponsoring VO. If your VO appears in the list of VOs at, then select "Fermilab" from the pull down menu.

Was this helpful?
Rate this article