Embedded Files
Summary:
CILogon is retiring our X.509 certificate services, because CILogon subscribers are migrating from X.509 certificates to other mechanisms (e.g., SciTokens).
If you do not request X.509 certificates from CILogon, then you are not impacted by the plans described below, and you do not need to read further. CILogon's other services (OIDC, OAuth, COmanage, SciTokens, SATOSA, LDAP, etc.) are not impacted.
CILogon will continue to issue X.509 certificates for Fermilab and LIGO using cigetcert and ligo-proxy-init until they have completed their transition to SciTokens and WLCG tokens. The CILogon X.509 Certificate Authorities will not be retired until that time.
If you have questions or comments, please contact us at help@cilogon.org.
Background:
Thanks to the adoption of OpenID Connect, OAuth, and SciTokens, CILogon is seeing reduced demand for X.509 certificates, so we are beginning to retire CILogon's X.509 certificate services. Operating X.509 certificate services is a significant expense for the CILogon project, for both policy and technical reasons, so beginning to retire the X.509 services will enable us to more effectively and efficiently support the current and future needs of CILogon subscribers.
Timeline (subject to revision):
JUNE 2023
The https://cilogon.org/oauth2/getcert endpoint is deprecated. Current CILogon OpenID Connect (OAuth) clients may continue using the https://cilogon.org/oauth2/getcert endpoint until it is disabled, but it is no longer available to new CILogon OpenID Connect (OAuth) clients.
JANUARY 2024
The https://cilogon.org/oauth2/getcert endpoint is disabled.
MAY 2025
The "Create Password-Protected Certificate" option at https://cilogon.org/ will be disabled.
The https://ecp.cilogon.org/secure/getcert endpoint will be disabled.
For status, please see: https://cilogon.statuspage.io/incidents/yv40gmvjnp1q
AFTER MAY 2025
The CILogon X.509 Certificate Authorities will be retired and withdrawn from the IGTF distribution.
Last Updated: April 29, 2025
Report abuse