CILogon X.509 Certificate Retirement Plan

Summary:

• CILogon is beginning to retire our X.509 certificate services, because CILogon subscribers are migrating from X.509 certificates to other mechanisms (e.g., SciTokens).

• If you do not request X.509 certificates from CILogon, then you are not impacted by the plans described below, and you do not need to read further. CILogon's other services (OIDC, OAuth, COmanage, SciTokens, SATOSA, LDAP, etc.) are not impacted.

• CILogon will continue to issue X.509 certificates for Fermilab and LIGO using cigetcert and ligo-proxy-init until they have completed their transition to SciTokens and WLCG tokens. The CILogon X.509 Certificate Authorities will not be retired until that time.

• Globus Connect Server version 4 endpoints configured to use CILogon rely on X.509 certificates issued from CILogon. These endpoints will continue to be supported by CILogon until after Globus has discontinued support for version 4. Visit https://www.globus.org/blog/globus-connect-server-v4-will-be-deprecated-july-31-2023 for the timeline of version 4 support and information on migrating to Globus Connect Server version 5. 

• If you have questions or comments, please contact us at help@cilogon.org.

Background:

Thanks to the adoption of OpenID Connect, OAuth, and SciTokens, CILogon is seeing reduced demand for X.509 certificates, so we are beginning to retire CILogon's X.509 certificate services. Operating X.509 certificate services is a significant expense for the CILogon project, for both policy and technical reasons, so beginning to retire the X.509 services will enable us to more effectively and efficiently support the current and future needs of CILogon subscribers.

Timeline (subject to revision):

JUNE 2023

The https://cilogon.org/oauth2/getcert endpoint is deprecated. Current CILogon OpenID Connect (OAuth) clients may continue using the https://cilogon.org/oauth2/getcert endpoint until it is disabled, but it is no longer available to new CILogon OpenID Connect (OAuth) clients.

JANUARY 2024

The https://cilogon.org/oauth2/getcert endpoint will be disabled. Globus Connect Server version 4 endpoints will no longer be able to obtain X.509 certificates from CILogon.

MAY 2025

The "Create Password-Protected Certificate" option at https://cilogon.org/ will be disabled.

AFTER MAY 2025

The CILogon X.509 Certificate Authorities will be retired and withdrawn from the IGTF distribution.

Last Updated: June 12, 2023