Certificates Old Way
The grid-cert-request setup described in this section is useful when dealing with a globus-only software installation
and dealing with an arbitrary CA but grid-cert-request is NOT the recommended method of generating certificate signing requests
in an OSG software environment. This configuration has no effect on the PPDG-Cert-Scripts package which uses the DOEGrids CA
as it's default configuration.
Configure the DOEGrids Certificate Authority (CA) to be used by default. To do so, run the utility below.
If you are given the option of more than one different CA in the menu below, choose the option which matches DOEGrids,
at the prompts. If only DOEGrids is shown, then you can just enter
as shown in the output below.
Reading from /g3dev/globus/TRUSTED_CA
Using hash: 1c3f2ca8
Setting up grid-cert-request
Before you use the Grid Security Infrastructure, you should first
define the DN (distinguished name) that should be used for your
organization's X509 certificates. If you do not define a DN,
a default DN will be assigned to you.
For some questions, a default response is given in .
Pressing RETURN in response to such a question will enable the default.
This script will overwrite the file --
(1) Base DN for user certificates
[ OU=People,DC=doegrids,DC=org ]
(2) Base DN for host certificates
[ OU=Services,DC=doegrids,DC=org ]
(q) save, configure the GSI and Quit
(c) Cancel (exit without saving or configuring)
Successfully created cert request configuration files in:
During the CE installation/setup, the %201.10.1%20/certificate_authorities.html" target="_top">VDT's list of CAs
was added under
as the list of authorized CAs on your system. Also, the variable X509_CERT_DIR was set to $VDT_LOCATION/globus/TRUSTED_CA. Please review the list of authorized CAs and modify the set in $X509_CERT_DIR as needed to match your local policy.
From OSG 0.5.0/VDT-1.3.11 and greater, the daemon edg-crl-upgrade
has been replaced with a root cron job called fetch-crl
which runs daily from cron. This will refresh the CRLs from these CAs. Some of them expire in less than 1 day and you may find it necessary to increase the frequency of the fetch-crl to be more than daily by manually executing crontab -e to make the frequency of the crl-update be every six hours, for instance.
- Change from past versions: The OSG installation is pre-configured as of version 0.6.0 to place the CA certificates in the local
$VDT_LOCATION/globus/TRUSTED_CA directory. The fetch-crl cron job will be updating CRLs in this local directory only. If you want to maintain certificates in the (old)
/etc/grid-security/certificates directory, you must link it to the local
TRUSTED_CA location (symlink in either direction) and copy the CA files appropriately. The host and http certificate files still go under
The Certificate Scripts Package Guide?
which has been installed can assist you with choosing Certificate Authorities to trust and periodically checking that the CRLs (Certificate Revocation Lists) have not expired.
- 27 Nov 2007
Reviewer - date: