CILogon X.509 Certificate Retirement Plan

Summary:

• CILogon is retiring our X.509 certificate services, because CILogon subscribers are migrating from X.509 certificates to other mechanisms (e.g., SciTokens).

• If you do not request X.509 certificates from CILogon, then you are not impacted by the plans described below, and you do not need to read further. CILogon's other services (OIDC, OAuth, COmanage, SciTokens, SATOSA, LDAP, etc.) are not impacted.

• CILogon will continue to issue X.509 certificates for Fermilab and LIGO using cigetcert and ligo-proxy-init until they have completed their transition to SciTokens and WLCG tokens. The CILogon X.509 Certificate Authorities will not be retired until that time.

• If you have questions or comments, please contact us at help@cilogon.org.

Background:

Thanks to the adoption of OpenID Connect, OAuth, and SciTokens, CILogon is seeing reduced demand for X.509 certificates, so we are beginning to retire CILogon's X.509 certificate services. Operating X.509 certificate services is a significant expense for the CILogon project, for both policy and technical reasons, so beginning to retire the X.509 services will enable us to more effectively and efficiently support the current and future needs of CILogon subscribers.

Timeline (subject to revision):

JUNE 2023

The https://cilogon.org/oauth2/getcert endpoint is deprecated. Current CILogon OpenID Connect (OAuth) clients may continue using the https://cilogon.org/oauth2/getcert endpoint until it is disabled, but it is no longer available to new CILogon OpenID Connect (OAuth) clients.

JANUARY 2024

The https://cilogon.org/oauth2/getcert endpoint is disabled.

MAY 2025

The "Create Password-Protected Certificate" option at https://cilogon.org/ will be disabled.

The https://ecp.cilogon.org/secure/getcert endpoint will be disabled.

AFTER MAY 2025

The CILogon X.509 Certificate Authorities will be retired and withdrawn from the IGTF distribution.

Last Updated: March 14, 2025