CILogon X.509 certificate retirement plan

12 views
Skip to first unread message

Basney, Jim

unread,
May 16, 2023, 3:51:35 PM5/16/23
to anno...@cilogon.org
Hello,

Please see below for an update regarding CILogon X.509 services.

Summary:
CILogon is beginning to retire our X.509 certificate services, because CILogon subscribers are migrating from X.509 certificates to other mechanisms (e.g., SciTokens). If you do not request X.509 certificates from CILogon, then you are not impacted by the plans described below, and you do not need to read further. CILogon's other services (OIDC, OAuth, COmanage, SciTokens, SATOSA, LDAP, etc.) are not impacted.

CILogon will continue to issue X.509 certificates for Fermilab and LIGO using cigetcert and ligo-proxy-init until they have completed their transition to SciTokens and WLCG tokens. The CILogon X.509 Certificate Authorities will not be retired until that time.

Globus Connect Server version 4 endpoints configured to use CILogon rely on X.509 certificates issued from CILogon. These endpoints will continue to be supported by CILogon until after Globus has discontinued support for version 4. Visit https://www.globus.org/blog/globus-connect-server-v4-will-be-deprecated-july-31-2023 for the timeline of version 4 support and information on migrating to Globus Connect Server version 5.

If you have questions or comments, please contact us at he...@cilogon.org.

Background:
Thanks to the adoption of OpenID Connect, OAuth, and SciTokens, CILogon is seeing reduced demand for X.509 certificates, so we are beginning to retire CILogon's X.509 certificate services. Operating X.509 certificate services is a significant expense for the CILogon project, for both policy and technical reasons, so beginning to retire the X.509 services will enable us to more effectively and efficiently support the current and future needs of CILogon subscribers.

Timeline (subject to revision):

MAY 2023
The https://cilogon.org/oauth2/getcert endpoint will be deprecated. Current CILogon OpenID Connect (OAuth) clients may continue using the https://cilogon.org/oauth2/getcert endpoint until it is disabled, but it will not be available to new CILogon OpenID Connect (OAuth) clients.

JANUARY 2024
The https://cilogon.org/oauth2/getcert endpoint will be disabled. Globus Connect Server version 4 endpoints will no longer be able to obtain X.509 certificates from CILogon.

MAY 2025
The "Create Password-Protected Certificate" option at https://cilogon.org/ will be disabled.

AFTER MAY 2025
The CILogon X.509 Certificate Authorities will be retired and withdrawn from the IGTF distribution.

Please see https://ca.cilogon.org/retirement for the latest version of this announcement.

Regards,
Jim

Reply all
Reply to author
Forward
0 new messages