Skip to end of metadata
Go to start of metadata

OIM uses x509 certificate sent from your browser to authenticate. OIM allows you to request user / host certificate as guest, but capability will be limited. Once your user certificate is issued via OIM, or if you already have an valid OIM account, you should make all request after you login to OIM so that OIM can associate your certificate with your account.

You can access OIM as guest by accessing it through http URL (

Login to OIM

If you access it via https (, OIM will ask for a valid IGTF certificate stored on your computer. OIM handles following cases.

Case 1) NoCert (or Expired Certificate)

If you don't have any x509 certificate, or if you chose not to provide x509 certificate when you access OIM the first time since you started your browser, you will see "(NoCert)" at the top right corner of the page. You will be logged in as guest. 

Please see What is (NoCert)? for more detail.

Case 2) Disabled

OIM admin can disable your certificate, or contact itself. Then, you will be logged in as guest and you will see "(Disabled)" at the top right corner of the page.

Case 3-a) Un-registered

OIM recognizes your x509 certificate as a valid IGTF certificate but the certificate is not yet registered in OIM. You will see "Register" link at the top right corner of the page. During registration, you will need to enter your primary email address. If the email address is already registered in OIM (but not yet associated with any certificate), OIM will allow you to "take-over" the email address use it as part of your contact information.

Or... If your account is already registered with an expired Cert (like DOEGrid)

If you know you have your email registered to an expired certificate, you will need to open a GOC Ticket with your new DN that you want to associate with your existing account. DN looks like this > "/DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=Soichi Hayashi 238" and can be found from where you've obtained your certificate.

Case 4) Valid OIM registered certificate

You are logged in, and you should see your name disabled at the top right corner of the page.

Certificate Interface

OSG PKI user interface can be accessed by visiting OIM and selecting "Certificate" menu.

Inside certificate page, guest user who are accessing OIM without providing OIM registered user certificate will see following submenu.

User accessing OIM registered user certificate will see following submenu. (Only PKI staff will have access to "Quota" menu. "GrdiAdmin" menu will be displayed under Host Certificates section for non-PKI staff.)

OSG Certificate Policy

Once you submit your request, RA / GridAdmin must approve / disapprove your request. You can then issue & download your certificate via OIM interface, or via command line tool for host certificate.

OIM creates a new GOC ticket for each certificate request. You will receive all notifications via email from your GOC ticket. If your request has not being processed within an expected amount of time (depending on each VO), you can update the GOC ticket and ask for status. You can also submit a GOC ticket ( for assistance in case of emergency, or if you are not receiving any update on your request.


Please see subpages for more detail. 

  • No labels