Summary:
CILogon is retiring our X.509 certificate services, because CILogon subscribers have migrated from X.509 certificates to other mechanisms (e.g., SciTokens).
If you do not request X.509 certificates from CILogon, then you are not impacted by the plans described below, and you do not need to read further. CILogon's other services (OIDC, OAuth, COmanage, SciTokens, SATOSA, etc.) are not impacted.
If you have questions or comments, please contact us at help@cilogon.org.
Background:
Thanks to the adoption of OpenID Connect, OAuth, and SciTokens, CILogon subscribers no longer require X.509 certificates from CILogon, so we are retiring CILogon's X.509 certificate services. Operating X.509 certificate services was a significant expense for the CILogon project, for both policy and technical reasons, so retiring the X.509 services enables us to more effectively and efficiently support the current and future needs of CILogon subscribers.
Timeline:
MAY 2023
The CILogon X.509 certificate retirement plan is announced.
JUNE 2023
The https://cilogon.org/oauth2/getcert endpoint is deprecated.
JANUARY 2024
The https://cilogon.org/oauth2/getcert endpoint is disabled.
MAY 2025
The "Create Password-Protected Certificate" option at https://cilogon.org/ is removed.
The https://ecp.cilogon.org/secure/getcert endpoint is disabled.
JUNE 2025
The CILogon X.509 Certificate Authorities will be withdrawn from the IGTF distribution.
JULY 2025
The CILogon X.509 Certificate Authorities will no longer issue Certificate Revocation Lists (CRLs).
CILogon X.509 certificate services will be fully retired.
Last Updated: May 13, 2025