[DESY Home] [DESY IT Home] [DESY IT Physics Computing] [Grid Computing at DESY] [DESY Computing Seminar] [Imprint]

Grid Computing at DESY DESY

[Home] [Mon/Admin] [Grid@DESY] [Certs & VOs] [VOMS] [CVMFS] [User Guide] [Install Guide] [Notes] [Talks & Posters] [Glossary] [Documentation] [Links]

In order to ensure response in case of problems, use the Global Grid User Support (GGUS) and/or your VO support rather than private e-mail contacts or internal mailing lists.

Grid Certificates and VO Membership at DESY

FAQ (Frequently Asked Questions)


2017-05-23: Repeating requests

Please do NOT send copies of your passport and/or ID card around.
Identification of users is carried out by the group admins who are supposed to authorize requests of their group members by checking ID cards and denoting the last digits of the ID number on the registration form (see below).

2016-09-18: Repeating requests

Please do not repeat the request unless you are asked for and the reason for a failure is clarified.
A second request will overwrite the privat key of the first request which leads to a mismatch of the public key you receive from GridKa.

2016-09-06: Renewal of Grid user certificates

Form the technical point of view, renewed and new certificates are similar. With the only difference that the portal can use some user information from the old certificate. This only works if this one is still valid though.
If the old certificate has expired, it must be removed from the browser first before the portal is invoked.
The formal procedure (identity form) is NOT necessary again. Just go head.
Please do not forget to pick up your new cert! You will get an e-mail on how to do this.

2016-03-08: Chrome >=49.x

GridKa found that certificate requests with Chrome 49.x and up fail with the standard settings. There is a work around described in the GridKa FAQ Chrome 48.x and below do work.
Please consider to use other browsers, e.g. firefox.

2014-03-01: SHA2-512

Starting March, 1st, 2014, GridKa signs certificates with the new SHA2-512 algorithm as strongly recommended by EuGridPMA resp. IGTF (refer to SHA1 Risk) This method is much more secure than the former SHA1. The changes are transparent to the users since the EGI Grid infrastructure supports SHA2-512 certificates. Please note: The obsolete VOMRS service is not able to handle SHA2-512 certificates!

General Introduction

On order to access global Grid resources, users must hold a valid personal user certificate (authentication), AND users must be member of a Virtual Organization (authorization).
A valid user certificate is a prerequisite to request membership in a VO. Multiple VO membership is possible.
(A user certificate can be seen as an analogon to a passport, whereas the VO membership compares to a visa.)

You might be interested in reading an article on authorization of Jens Jensen (RAL) published in iSGTW on March 3rd, 2010.

User certificates are issued by a national Certification Authority (CA) of the user's home institute. The approval and verification of the request is handled by Registration Authorities (RA). The German CA is located at FZ Karlsruhe and is called GridKa (see usage rules). DESY runs a Registration Authority (RA) to approve certificate requests for people who are employed and located (phone book entry exists) at DESY.
Students please refer to the RA of their home institutes, e.g. HUB has a seperate RA!

Users who are NOT employed by DESY may refer to the RA List of GridKa or the international The International Grid Trust Federation (ITGF).

A user certificate (of the format X509) consists of a private key with a private password and a certified public key. The private key is exclusively possessed by the user and is not known to the RA or CA at any stage.
Lost private/public keys or the password can not be recovered by any means.

A certificate is valid for 1 year and can be renewed. Users get notified by e-mail 3 weeks before this date by the CA. It is strongly recommended to renew the certificate before its expiration.


According to the policy of the German Certification Authority (CA) at GridKa, users must be
member (e.g. employee) of and located at the institute or university of which they request a
Grid user certificate from (via the Registration Authority (RA)).
This is necessary to contact users in case of security issues and to prove identity.
This applies also for renewals.
If the user changes group, institute or university, the new RA is in charge of approving

Obtaining/Renewing a User Certificate at DESY

Step 0: Prerequisites (New request and renewal)

Step 1: Paperwork at DESY (First request only)

For the FIRST certificate request at DESY ONLY!: We have to know you and your identity! Therefore you need to:

Step 2: Electronic certificate request (First request and renewal)

This step is done electronically via browser, both for the first certificate request and for any subsequent renewals. For your name, please do not use capital letters only.

Final steps (First request and renewal)


Check the [FAQ]


Becoming a Member of a VO

If a user holds a valid user certificate, membership in VOs can be requested via the appropriate VOMRS/VOMS servers.

Please do NOT request VO membership to the VO 'desy'. This is a VO for internal use only. Usually you want to register with the VO of the experiment you are working with, e.g. 'atlas', 'belle', 'cms', or 'ilc'. See:


More Information

Please consider the page on Frequently Asked Questions:

German users which are not employed by DESY or the U Hamburg may find their RA at:

Find list of all international CAs at:

CERN provides a test page to check whether your browser has a right installation of a certificate.

Check the expiration date of your current certificate:

  openssl x509 -subject -issuer -email -dates -noout -in ~/.globus/usercert.pem
Check whether the private key and public key match: The output of the following commands should be identical:
  openssl x509 -noout -modulus -in .globus/usercert.pem | openssl md5
  openssl rsa -noout -modulus -in .globus/userkey.pem | openssl md5

In Germany a second CA is run by the DFN at:

The DFN maintains a list of RAs at:

See also



Last modified: Fri Dec 9 16:33:35 MET 2005
by the DESY Grid Team: http://grid.desy.de/