Certificates Old Way

Setup and maintenance of Certificate Authority connection (deprecated)

The grid-cert-request setup described in this section is useful when dealing with a globus-only software installation and dealing with an arbitrary CA but grid-cert-request is NOT the recommended method of generating certificate signing requests in an OSG software environment. This configuration has no effect on the PPDG-Cert-Scripts package which uses the DOEGrids CA as it's default configuration.

Configure the DOEGrids Certificate Authority (CA) to be used by default. To do so, run the utility below.

If you are given the option of more than one different CA in the menu below, choose the option which matches DOEGrids, then enter q at the prompts. If only DOEGrids is shown, then you can just enter q as shown in the output below.

# $VDT_LOCATION/vdt/setup/setup-cert-request
 Reading from /g3dev/globus/TRUSTED_CA
 Using hash: 1c3f2ca8
 Setting up grid-cert-request
 Running grid-security-config...

Before you use the Grid Security Infrastructure, you should first
define the DN (distinguished name) that should be used for your
organization's X509 certificates.  If you do not define a DN,
a default DN will be assigned to you.

For some questions, a default response is given in [].
Pressing RETURN in response to such a question will enable the default.
This script will overwrite the file --

     /usr/local/vdt-1.0/globus/etc/grid-security.conf


========================================================================

(1) Base DN for user certificates
         [ OU=People,DC=doegrids,DC=org ]
(2) Base DN for host certificates
         [ OU=Services,DC=doegrids,DC=org ]

========================================================================
(q) save, configure the GSI and Quit
(c) Cancel (exit without saving or configuring)
(h) Help
========================================================================

q

Successfully created cert request configuration files in:
/etc/grid-security

During the CE installation/setup, the %201.10.1%20/certificate_authorities.html" target="_top">VDT's list of CAs was added under $VDT_LOCATION/globus/TRUSTED_CA as the list of authorized CAs on your system. Also, the variable X509_CERT_DIR was set to $VDT_LOCATION/globus/TRUSTED_CA. Please review the list of authorized CAs and modify the set in $X509_CERT_DIR as needed to match your local policy.

From OSG 0.5.0/VDT-1.3.11 and greater, the daemon edg-crl-upgrade has been replaced with a root cron job called fetch-crl which runs daily from cron. This will refresh the CRLs from these CAs. Some of them expire in less than 1 day and you may find it necessary to increase the frequency of the fetch-crl to be more than daily by manually executing crontab -e to make the frequency of the crl-update be every six hours, for instance.

ALERT! IMPORTANT
Change from past versions: The OSG installation is pre-configured as of version 0.6.0 to place the CA certificates in the local $VDT_LOCATION/globus/TRUSTED_CA directory. The fetch-crl cron job will be updating CRLs in this local directory only. If you want to maintain certificates in the (old) /etc/grid-security/certificates directory, you must link it to the local TRUSTED_CA location (symlink in either direction) and copy the CA files appropriately. The host and http certificate files still go under /etc/grid-security.

The Certificate Scripts Package Guide? which has been installed can assist you with choosing Certificate Authorities to trust and periodically checking that the CRLs (Certificate Revocation Lists) have not expired.


Complete: 3
Responsible: RobGardner - 27 Nov 2007
Reviewer - date:

Topic revision: r2 - 04 Jun 2010 - 18:18:43 - SuchandraThapa
 
TWIKI.NET

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..