ESGF now requires all data nodes to have certificates which have the Subject Alternative Name field set in the X509v3 extensions. We have rekeyed certificates which are signed by the NSC Simple CA, and have over 100 days of validity remaining (as on 15 March 2018). You can download your rekeyed certificate tarball, following these directions.

  1. Visit
  2. Enter your certificate DN ( /O=ESGF/OU=ESGF.ORG/CN=<your node's fully qualified domain name>) in the box;
    e.g. /0=ESGF/OU=ESGF.ORG/ , and hit Submit.
  3. Check to confirm the presence of the X509v3 Subject Alternative Name extension in your certificate; it should look like this (but with your node's FQDN):

    X509v3 Subject Alternative Name:
  4. If you get a Certificate with specified DN not found message when you click Submit, recheck the certificate DN you entered.
  5. If everything is fine, you can download your rekeyed certificate tarball from<your node's fully qualified domain name>.tgz.
  6. Reinstall the certificates exactly as before (for help, check the output from esg-node --cert-howto on your datanode)
  7. If you are having any issues, send a mail to