[DESY Home] [DESY IT Home] [DESY IT Physics Computing] [Grid Computing at DESY] [DESY Computing Seminar] [Imprint]

Grid Computing at DESY DESY

[Home] [Mon/Admin] [Grid@DESY] [Certs & VOs] [VOMS] [CVMFS] [User Guide] [Install Guide] [Notes] [Talks & Posters] [Glossary] [Documentation] [Links]

In order to ensure response in case of problems, use the Global Grid User Support (GGUS) and/or your VO support rather than private e-mail contacts or internal mailing lists.





Where is the certificate format (X509) specified?

Update: 2016-06-17 (AG)

Please refer to X509.


Due to a crash/update of my browser, (parts of) my certificate got lost.

Update: 2014-07-09 (AG)

When requesting a certificate from GridKa, the private key is stored in the browser's profile. The signed public key will be added when retrived from GridKa after the issueing process. If the browser crashes or the profile is lost for other reasons before the 'usercert.p12' file could be stored elsewhere (e.g. AFS), the only way to recover is to request a new certificate according to rules described in the docu. A new ID-form is of course not needed!
If the 'usercert.p12' file does exist it can be reloaded into the browser.
If 'usercert.pem' and 'userkey.pem' exists - usually in '~./globus', the 'usercert.p12' file can be recreated.


I am new at DESY/U Hamburg and have still a Grid certificate from my old home institue.

Update: 2013-11-05 (AG)

You can use your current Grid certificate as long as it does not expire. Unfortunately DESY can not extend certificates of another RA but only (OU=DESY OU=uni-hamburg OU=XFEL). You must request a new one from DESY which requires the entire procdure as described in Grid Certificates and VO Membership at DESY. This requires a from signed by your DESY group admin AND a DESY e-mail address.
If there is some time left before you become a member of DESY, you might want to check with your current home institute if your certificate can be extended for a transition period until you are at DESY. It is of course possible to hold two certs for some time until the old one expires. Make sure you register also with new certificate with the VOs you are in!


My home institute has changed. Can I still get/extend my Grid certificate from DESY?

Update: 2011-03-08 (AG)

Unfortunately not! Please read the docu again.
You must contact the RA/CA of your (new) home institute. See See RA List of GridKa or even CA list.


I am a student. Can I get a Grid certificate from DESY?

Update: 2011-08-01 (AG)

According to the usage rules of GridKa, DESY acts as a registration authority (RA) for DESY, Uni Hamburg and XFEL employees only (this includes DESY summer students).
Students of other universities must contact the RA of their home university/institute. See RA List of GridKa or even CA list.


Where are the usage rules of the CA at GridKa?

Update: 2010-08-09 (AG)

Please refer to the GridKa web pages .


Do I have a valid user cert in my browser?

Update: 2017-04-26 (AG)


  Edit -> Preferences -> Advanced -> Certificates -> View Certificates -> Your Certificates
or check the CERN certicate test page


How to create a'.pem' from a '.p12'?

Update: 2010-01-15 (AG)

Please refer to the GridKa portal's help pages. In particular the section Exporting certificates from your browser.


How to create a '.p12' from a '.pem'?

Update: 2009-12-16 (AG)

The file 'my_cert.p12' is created from the user certificate. It asks you for an export password which you need to import the user certificate into a browser.

  cd ~/.globus
  openssl pkcs12 -export -out my_cert.p12 -inkey userkey.pem -in usercert.pem


My certificate expired (SSL peer rejected your certificate as expired.). What shall I do?

Update: 2013-03-25

You might see a message:

Secure Connection Failed
      An error occurred during a connection to gridka-ca.kit.edu.

SSL peer rejected your certificate as expired.

(Error code: ssl_error_expired_cert_alert)

No action can be taken on the Grid without a valid certificate. But the expiration of the user certificate is NOT a disaster!

Since you had a valid certificate you are already known to the RA at DESY. You must delete your now invalid certificate form your browser first (in firefox: Preferences or Options / Advanced / Encryption / View Certificates). Then you you go to the GridKa Web Portal and request a new certificate. You do NOT need to fill the *famous* IDENTIFICATION FORM again. We still have it!


I forgot my certificate's password and/or lost my private key?

Update: 2009-01-27

The user selects a certificate password and is the owner of the private key. Nobody else, neither your CA or RA, has a copy of either of them. If one of it got lost, you must request a new certificate via the GridKa portal. A new identification to your local RA is usually not needed.


When does my certificate expire?

Update: 2008-06-17 (AG)

Use the following openssl command to check your certificate:

  openssl x509 -subject -issuer -email -dates -noout -in ~/.globus/usercert.pem


I don't know which Registration Authority a should contact.

Update: 2008-04-14 (AG)

Please check the list of international CAs at CAs

In Germany two CAs may issue certificates. They require approval by the Regiostration Authority of the Requestors home institute.

  • GridKa @ FZ Karlsruhe: [CA]
  • DFN Verein: [CA]


    How long does it take to get a certificate request processed?

    Update: 2011-08-01 (YK)

    The procedure works as follows:

  • Fill in the DESY Identification Form , get the requested signature, make sure UCO gets the form (by postal way or hand it in directly - email will not work). The duration of this step is up to you. Note that this step is only required for the FIRST certificate request at DESY!
  • UCO notifies the RA admins at DESY. (minutes)
  • The applicant issues the Grid user certificate request on the GridKa Portal (minutes).
  • The portal notifies the RA admins at DESY to approve the cert requests (minutes).
  • The RA admins at DESY (grid-ra_(AT)_desy_(DOT)de) approve the request - if you are known to the RA (see the first point about the DESY Identification Form).
  • GridKa at FZ Karlsruhe issues the certifcate asap (hours).


    I have requested a Grid Certificate on the GridKa portal but nothing has happened since.

    Update: 2011-08-01 (YK)

    DESY has to approve your electronical request. This requires that you introduced yourself by sending in the form as described.
    Please read the documentation at Grid Certificates and VO Membership at DESY carefully.


    I have sent or faxed the Grid Certificate request form to the IT Secretary or UCO but nothing has happened since.

    Update: 2011-08-01 (YK)

    The IT Secretary is NO LONGER INVOLVED in the Grid Certificate request workflow! They will simply ignore your request! Send the DESY Identification Form to UCO and UCO alone!

    You are NOT notified upon arrival of the form by DESY. You can proceed with the electronical request on the GridKa Portal immediately.
    Please read the documentation at Grid Certificates and VO Membership at DESY carefully.


    Do my userkey and usercert match?

    Update: 2007-09-19 (AG)

    It is essential that your usercert.pem and userkey.pem belong together. You can check this by comparing the checksums which MUST be the same:

      cd ~/.globus
      openssl x509 -noout -modulus -in usercert.pem | openssl md5
      openssl rsa -noout -modulus -in userkey.pem | openssl md5

    Infos can be gained by:

      cd ~/.globus
      openssl x509 -subject -issuer -dates -noout -in usercert.pem


    My certificate was extended. Do I have to register again to the VOs?

    Update: 2007-07-04 (AG)

    No. If an existing certificate is extended the DN remains the same. It is the DN with which a user (holder of a certiofcate) is known to the VO.

    If for some reason a new certificate with a different DN was issued, a new membership request must be issued.

    Find your DN in your certifcate by:

      openssl x509 -subject -noout -in $HOME/.globus/usercert.pem


    I have a gLite UI but the DESY VOs are not supported?

    Update: 2007-07-04 (AG)

    Only for job submission special configuration files are needed. They are by default read in from system configuration files:

      > ls -l $GLITE_LOCATION/etc/zeus/glite_wms.conf

    Instead, user defined config files can be used:

      > glite-job-submit --config-vo ./glite_wms.conf
      > cat ./glite_wms.conf
        WmsClient = [
            virtualorganisation = "ilc";
            requirements = other.GlueCEStateStatus == "Production";
            MyProxyServer = "grid-pxy.desy.de";
            WMProxyEndpoints = {
            ListenerStorage = "/tmp/glite/glite-ui";
            ErrorStorage = "/tmp/glite/glite-ui";
            ShallowRetryCount = 10;
            AllowZippedISB = true;
            PerusalFileEnable = false;
            rank =- other.GlueCEStateEstimatedResponseTime;
            OutputStorage = "/tmp/glite/glite-ui";
            RetryCount = 3;

    See also DESY Grid User Guide for details.


    I do not have a gLite UI?

    Update: 2009-06-03 (AG)

    If you have AFS on your SL4/5 machine you can use the DESY AFS installation directly. See DESY Grid User Guide for details.


    Where do I get information from?

    Update: 2008-08-25 (AG)

    Support is provided by GGUS at
    You are member of the VO 'ilc'. For this VO exist the mailing lists:
    The first one allows contact to the Grid experts of the VO. The second
    one contains the international users of the VO 'ilc'.
    You have probably also looked up
    There is also a lot of information on the Grid in the context of LCG and
    EGEE, e.g.:


    Which SEs exist at DESY?

    Update: 2008-03-28 (AG)


      lcg-infosites --vo _your_vo_ se

    * dCache is a mass storage technology which was developed by DESY/Fermi
      and is utilized at DESY (Hamburg and Zeuthen) and elsewhere.
      It is used for the DESY data storage with an optional back-end to the
      tape system as well as mass storage technology for Grid Storage
    * From the user's point of view, a Storage Element is a Grid Service.
      It provides well-defined services and is in this sense transparently
      usable from the Grid. Nothing to care about! Also file sizes do not
      matter. It is an internal task of the SE to efficently use the
      underlying system. This statemet is true world-wide.
    * We have at DESY Hamburg currently three SEs, which support the VO
      'grid-se3.desy.de' is a SE which is uitilizing the dCache technology.
      It provides a few 100 GB per VO but has NO connection to the DESY mass
      storage pool. It can be accessed via the Grid only. It is currently
      the default SE for all VOs (VO_ILC_DEFAULT_SE).
      'srm-dcache.desy.de' is a dcache-based SE and has connection to the
      DESY mass storage system. The data space can be seen within DESY via
      Access is granted on request only, though formally all VOs are
      Some directories are connected to disk pools which are automatically
      copied to tape.
    * We do not have quotas on user level (yet), but space is limited. Even
      in the DESY mass storage system with its tape back-end, some action is
      needed to enabled big storage volumes. A few hundered Gigabytes is
      already big.
    * If you plan a bigger Monte Carlo production this might be interesting
      for other members of your VO too. Since resources are limited - even
      in the Grid - a centralized MC production approach is preferable and
      data should go to a central and safe (!) place, e.g. to the DESY mass
      storage system with tape back-end via the SE 'srm-dcache.desy.de'.
      Please check with your colleagues and request a tape volume with an
      assocciated directory.
    * If no storage path is specified, data files go to a directory called
      In the case of the VO 'ilc' on 'srm-dcache.desy.de' for instance:
      Those directories are not backed up on tape!
    * LFC stands for LCG File Catalogue. This is a service which allows to
      manage the files stored on SEs worldwide in the context of a specific
      VO. Therefore the exists exactly ONE central LFC per VO in the world.
      A LFC associates a Logical File Name (LFN) with the actual access
      information on all replicas of a file on the SEs.


    Last modified: Tue Jul 5 17:03:47 MEST 2005
    by the DESY Grid Team: http://grid.desy.de/