A new version of the CERN-CA-certs package is available in the QA environment.
The new package removes the older certificates of the CERN Certification Authority. Please make sure to test your services and software with the new package.
Full details are available on the SSB entry: OTG0077330.

Help
Skip Navigation Links.

Please note:
  • The procedure to request robot certificates is now fully automated, and it's no longer necessary to request permissions to Certification Authority administrators with a digitally signed email
  • If you do not satisfy the criteria to request a robot certificate, no exceptions are possible.

Grid Robot certificates

Robots, also known as automated clients, are entities that perform tasks without human intervention.

These procedures generally run using an identity with the necessary privileges to perform their tasks. If automated tasks need to authenticate using a certificate provided by the CERN Grid Certification Authority, a robot certificate should be used.

Robot certificates can only be issued to valid Service accounts.

The purpose of a robot certificate is to allow the team performing the automated tasks to authenticate without needing individual user certificates. Moreover, if the certificate subject is used by the application, it will not be necessary to modify the application's configuration each time a new certificate is issued.

A robot certificate must not be used for the following purposes:

  • To share a certificate so that people don't need to enter individual credentials.
  • To obtain a certificate for a Service account.

Who can request a robot certificate

Please note that the official Certificate Policy and Certificate Practice Statement documents for the CERN Grid Certification Authority are available at the address http://cern.ch/cafiles. This help page is only an informal excerpt from the official documents.

To request a robot certificate a user must:

  • Be registered in CERN's central HR database with one of the following categories, for which physical presence at the appropriate registration service is required:
    • Members of Personnel (as defined in Administrative Circular 11). Status: STAFF, FELL, PDAS, PJAS, USAS, CASS, UPAS, USER, DOCT, TECH, ADMI, SUMM, CHIL, APPR, COAS, GPRO, VISC, TRNE.
    • Employees of a CERN contractor. Status: ENTC.
    • Participants to an experiment. Status: PART.
    • Honorary members. Status: EXTN with reason HONO.
  • Have a CERN computer account and register an email address.
  • Be the owner of a CERN Service Account for which you want to get a robot certificate
    • The Service Account must forward messages to the owner, or to a responsible group

How to request a robot certificate

If your requirements satisfy the conditions to get a robot certificates, you can request one as follows:

Created: 3/10/2020
Last reviewed: 5/2/2022
Tools:
Send the page Send  |  Printable version Print