[Go to /lcg-ca/]


EGI CA repository
EGI feeder link

LHC Computing Grid trust anchor (CA) distribution

Welcome and thanks for your interest in these pages. On this site you will find the technical implementation of the WLCG Policy on Approved Certification Authorities, as drafted by the Joint Security Policy Group and endorsed by the WLCG Management Board. For compatibility purposes, the packages from the EGI distribution are mirrored here, so that if you need to obtain CAs from both policies, you can do this from a single source.

Important Notice for sites in EGI that support WLCG
Your should install BOTH "egi-core" AND "lcg" meta-packages, according to your policies. Note that your organisation or NGI may also have a specific policy and may have added or removed CAs compared to the EGI core policy. Sites that need compliance with the WLCG policy should install BOTH packages, or you will miss out the CERN WLCG IOTA CA specific exception see https://documents.egi.eu/document/2745 for details and the WLCG statement http://lcg-ca.web.cern.ch/lcg-ca/doc/WLCG-CERN-IOTA-statement-MB.pdf.

Version 1.128-1 and change log

The current version of the LCG trust anchor distribution is 1.128-1, based on the IGTF release with the same version. This distribution was built on 2024-03-11. The change log is part of the distribution, and can be found here.

* updated CRL download URL for ArmeSFo (AM)
NOTICE: in future releases we will move to a new RSA-2048 GPG package signing
key. The new public key file, GPG-KEY-EUGridPMA-RPM-4, is distributed with
this and subsequent releases. You can retrieve the new public key file from

How to download and install the distribution

To set up the installation via yum you need to set up your yum repository in yum.conf (or add this file to yum.repos.d):
Then do the updating from any other repository via
# yum update lcg-CA
To install afresh, if you have configured yum appropriately you can do
# yum install ca-policy-lcg
(add a "ca-policy-egi-core" to also get the EGI list, or us ethe historic "lcg-CA" to get both) to update/install the CAs. Occasionally, in case the yum cache is not updated properly one might need to perform manual cleaning with the command:
# yum clean cache metadata
If you want to install the packages manually from RPMs, go to .../RPMS/, whereas you can find the tar-balls fo the individual CAs in .../tgz/. Of course, the tar-based distribution will not do dependency management or automatic upgrades. Please review the release notes to look for packages that have been withdrawn.

Quattor templates

Quattor templates for QWG use can be found distribution/current/meta/ca-policy-lcg.tpl, and in CDB format at distribution/current/meta/pro_software_meta_ca_policy_lcg.tpl.

mod_ssl timeout workaround

We provide here a workaround for the issue summarised in comment #57 of bug #48458. The following rpm has been added to the repository: dummy-ca-certs-20090630-1.noarch.rpm. Please note that:
  • This rpm is not added to the lcg-CA metapackage dependencies.
  • If you want to install it you should run: yum install dummy-ca-certs

Comments to David Groep.