eScience Certificate Signing Request

In order to get a user or host certificate signed, please follow the instructions below. Within four working days you will receive an email with your signed certificate. The certificates are signed by the Certificate Authority of Please contact if needed.

User Certificate Request

On the machine you submit your grid jobs, issue the following commands:

openssl req -newkey rsa:2048 -subj "/DC=EU/DC=EGI/C=CH/O=People/O={Full name of your institution}/CN={Firstname Lastname as in provided ID}" -out cert_sign_request.pem

Valid institution names list

O=Ecole polytechnique federale de Lausanne (EPFL)
O=ETH Zuerich
O=Eidg. Forschungsanstalt fuer Wald, Schnee und Landschaft (WSL)
O=Eidgenoessische Materialpruefungs- und Forschungsanstalt (EMPA)
O=EAWAG (Eidg. Anstalt fuer Wasserv., Abwasserr. u. Gewaessersch.)
O=Fachhochschule Nordwestschweiz
O=FHS St. Gallen Hochschule fuer Angewandte Wissenschaften
O=Haute Ecole Specialisee de Suisse occidentale (HES-SO)
O=Hochschule Luzern
O=Paul-Scherrer-Institut (PSI)
O=Universita della Svizzera Italiana
O=Universitaet Basel
O=University of Bern
O=Universite de Geneve
O=Universite de Lausanne
O=Universite de Neuchatel
O=University of Zurich

Curly brackets must be removed! The command also creates privkey.pem. Keep it safe.

With the following command you may inspect your request:

openssl req -in cert_sign_request.pem -noout -text -nameopt sep_multiline

Email your request by clicking here. Follow the instructions in the email template.

  • If you already have a valid user certificate and are renewing it, please sign the request email with your certificate.
  • If this is your first certificate or your existing certificate expired, your request will require identification.

Certificate and Key Installation

After you receive your signed certificate by email: save it as $HOME/.globus/usercert.pem.

mv privkey.pem $HOME/.globus/userkey.pem; chmod 444 $HOME/.globus/usercert.pem; chmod 0400 $HOME/.globus/userkey.pem

The received email will ask for a confirmation email (reply) to be signed with the new certificate within 7 days, otherwise the certificate will be revoked.

To sign, convert your certificate into a p12 file:

cd $HOME/.globus
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -name "EGI" -out egi.p12

The egi.p12 can be imported into your mail client, browser or keychain (macOS) in order to have your email signed.

Host Certificate Request

This step requires that you already have a user certificate and that you know why you need a host certificate. Generate your host certificate by editing the FQDN and optionally the ALTNAMES lines in this configuration file and then issuing the following commands on the host:

(umask 0377; openssl req -new -config myserver.cnf -keyout privkey.pem -out hostname_sign_request.pem)

The command also creates privkey.pem. Keep it safe. Parentheses are important: otherwise, umask will affect default permissions for the rest of the shell session.

Inspect the CSR:

openssl req -in hostname_sign_request.pem -noout -subject 

and make sure that the subject of hostname_sign_request.pem is the following: subject=/DC=EU/DC=EGI/C=CH/O=Hosts/O=$ORGNAME/CN=$FQDN

Email the file cert_sign_request.pem by clicking here. You will need to sign your request email by a valid user certificate.

CA root certificate

The CA root certificate is available here.

Certificate Revocation

Send an email by clicking here. The email must be signed with your EGI user certificate.

With this command you may obtain the required subject of your certificate:

openssl req -in cert_sign_request.pem -noout -text -nameopt sep_multiline.


For the first request and every five years thereafter, a copy of your valid passport or photo ID must be added to the request email.

If you are not known to the authority operators, you will be invited to a video conference to confirm your identity. For this case please also provide your Skype ID.