No certificate, no chocolate

Are you already ready to use “certificates” to log into CERN or to connect to the global “eduroam” wireless network? No, I am not talking about your birth certificate, medical certificates or academic certificates. I am referring to “certificates” used for authentication where you would usually use a password.


These digital certificates are a valid alternative to cumbersome passwords. Like the aforementioned personal certificates, a digital certificate is an official document that proves who you are or your qualifications. Your personal digital CERN certificate is tied to your digital identity at CERN. In that respect, a digital certificate is like a password. It is a credential that you must not share with anybody else! With your digital certificate, I can impersonate you and take over your mailbox, your web sessions and more…

Digital certificates bind your digital identity to a public/private-key infrastructure (PKI). This is based on a simple mathematical fact: multiplication is easier than division, hence the difficulty of factorising prime numbers (take, for example, “8633=89*97” and now think of prime numbers with thousands of digits). Through a sophisticated algorithm, this difficulty is transferred into a pair of certificates: a “public” one and a “private” one.

The public certificate can be shared, so that others can encrypt e-mails so that only you can read them when you use your private certificate. Similarly, your private certificate can be used to prove that you are you if I know your public certificate. At CERN, your certificate is signed by the CERN Certification Authority as a proof of identity. Of course, this is highly simplified (for details see the X.509 standard), but it might give you an idea of what is happening behind the scenes…

In the High-Energy Physics community and at CERN, certificates are used in many places. For example, to submit analysis tasks to the Worldwide LHC Computing Grid (WLCG), you need a certificate issued by CERN or by your home institute. CERN is part of the International Grid Trust Federation (IGTF/EUGridPMA), which establishes trust at the policy and technical levels within the Grid community. It ensures that your CERN certificate is recognised by all the IGTF partners worldwide — a great example of global trust among peers.

If you want to log into CERN via the CERN Single Sign-On portal, a CERN certificate is a valid means. A second certificate would need to be stored on your CERN access card if you are requested by certain web services to provide a second means of identification (i.e. in addition to something you know (your password), you provide something you have (your CERN access card certificate)).

You can also use your certificate to digitally “sign” your emails and, thus, prove that they are really from you. Last but not least, thanks to the CERN Networking Group, your CERN certificate can be installed on your smart-phone, tablet or laptop. This way you can benefit from a free, easily accessible wireless connection wherever the “eduroam” wireless network is available (click here for a complete list).

In order to benefit from a digital CERN certificate, create your own at the CERN Certification Authority and follow a simple procedure to install it on your PC, laptop, tablet or smart phone. But remember: this certificate is to be treated like your toothbrush (or your password); you must not share it with anyone else. If it, or a device where it is stored, is lost or stolen, please revoke your certificate immediately at the CERN Certification Authority in order to avoid misuse of your CERN computing account!

For further information, visit the CERN Certification Authority website or the Computer Security website. Or, contact us at

If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.

Access the entire collection of Computer Security articles here.

by Computer Security Team