[DESY Home] [DESY IT Home] [DESY IT Physics Computing] [Grid Computing at DESY] [DESY Computing Seminar] [Imprint, Data Privacy Policy, Datenschutzerklärung]

Grid Computing at DESY DESY

[Home] [Mon/Admin] [Grid@DESY] [Certs & VOs] [VOMS] [CVMFS] [User Guide] [Install Guide] [Notes] [Talks & Posters] [Glossary] [Documentation] [Links]

In order to ensure response in case of problems, use the Global Grid User Support (GGUS) and/or your VO support rather than private e-mail contacts or internal mailing lists.

Grid Certificates and VO Membership at DESY

  • News
  • Introduction
  • Obtaining/Renewing a User Certificate at DESY
  • Becoming a Member of a VO
  • FAQ



    2018-02-01: Web browsers

    Please use exclusive a firefox web browser for your request. Chrome, Opera, MSIE, Safari, and others do NOT work properly. See GridKa FAQ.

    2017-05-23: Passport and/or ID card copies

    Please do NOT send copies of your passport and/or ID card around.
    Identification of users is carried out by the group admins who are supposed to authorize requests of their group members by checking ID cards and denoting the last digits of the ID number on the registration form (see below).



    On order to access global Grid resources, users must hold a valid personal user certificate (authentication), AND users must be member of a Virtual Organization (authorization).
    A valid user certificate is a prerequisite to request membership in a VO. Multiple VO membership is possible.
    (A user certificate can be seen as an analogon to a passport, whereas the VO membership compares to a visa.)

    You might be interested in reading an article on authorization of Jens Jensen (RAL) published in iSGTW on March 3rd, 2010.

    User certificates are issued by a national Certification Authority (CA) of the user's home institute. The approval and verification of the request is handled by Registration Authorities (RA). The German CA is located at KIT and is called GridKa (see usage rules). DESY runs a Registration Authority (RA) to approve certificate requests for people who are employed and located (phone book entry exists) at DESY.
    Students please refer to the RA of their home institutes, e.g. HUB has a seperate RA!

    Users who are NOT employed by DESY may refer to the RA List of GridKa or the international The International Grid Trust Federation (ITGF).

    A user certificate (of the format X509) consists of a private key with a private password and a certified public key. The private key is exclusively possessed by the user and is not known to the RA or CA at any stage.
    Lost private/public keys or the password can not be recovered by any means.

    A certificate is valid for 1 year and can be renewed. Users get notified by email 3 weeks before this date by the CA. It is strongly recommended to renew the certificate before its expiration.


    According to the policy of the German Certification Authority (CA) at GridKa, users must be
    member (e.g. employee) of and located at the institute or university of which they request a
    Grid user certificate from (via the Registration Authority (RA)).
    This is necessary to contact users in case of security issues and to prove identity.
    This applies also for renewals.
    If the user changes group, institute or university, the new RA is in charge of approving

    Obtaining/Renewing a User Certificate at DESY

    Step 0: Prerequisites (New request and renewal)

    Step 1: Paperwork at DESY (First request only)

    For the FIRST certificate request at DESY ONLY!: We have to know you and your identity! Therefore you need to:

    Step 2: Electronic certificate request (First request and renewal)

    This step is done electronically via browser, both for the first certificate request and for any subsequent renewals. For your name, please do not use capital letters only.

    Final steps (First request and renewal)


    Check the [FAQ]


    Becoming a Member of a VO

    If a user holds a valid user certificate, membership in VOs can be requested via the appropriate VOMS servers.

    Please do NOT request VO membership to the VO 'desy'. This is a VO for internal use only. Usually you want to register with the VO of the experiment you are working with, e.g. 'atlas', 'belle', 'cms', or 'ilc'. See:


    More Information

    Please consider the page on Frequently Asked Questions:

    German users which are not employed by DESY or the U Hamburg may find their RA at:

    Find list of all international CAs at:

    CERN provides a test page to check whether your browser has a right installation of a certificate.

    Check the expiration date of your current certificate:

      openssl x509 -subject -issuer -email -dates -noout -in ~/.globus/usercert.pem
    Check whether the private key and public key match: The output of the following commands should be identical:
      openssl x509 -noout -modulus -in .globus/usercert.pem | openssl md5
      openssl rsa -noout -modulus -in .globus/userkey.pem | openssl md5

    In Germany a second CA is run by the DFN at:

    The DFN maintains a list of RAs at:

    See also



    Last modified: Fri Dec 9 16:33:35 MET 2005
    by the DESY Grid Team: http://grid.desy.de/