Certificate Scripts package
Please note: This documentation is for OSG 1.2. While we still provide critical security updates for OSG Software 1.2, we recommend you use OSG Software 3 for any new or updated installations. We are considering May 31, 2013 as possible OSG 1.2 End of Life (EOL).
This the home page for documenting the cert-scripts package that provides a command-line interface to the DOEGrids CA website and some additional utilities for dealing with X509 certificates. This package was developed originally by the PPDG project and is now maintained by the OSG RA.
As an alternative to the web browser interface, these scripts are contributed to the DOEGrids PKI to allow a command-line interface to the certificate authority for submitting certificate requests, retrieving signed certificates, renewing certificates, directory lookup of existing certificates, and checking the remaining lifetime of certificates and certificate revocation lists. They work directly with the PEM format files used by Globus. These are perl scripts and bash shell scripts (some awk), depend upon openssl, ldapsearch and the perl LWP:: module with SSL support
. Click on the File link below for the usage description of the script, or to download the tar file package containing the scripts. These scripts have been tested for work with VDT 1.1.2 and 1.3.1. They are included with VDT
, starting with 1.3.1.
Release notes are included in the README file linked below.
|| describes the package, includes release notes
|| checks lifetime of certificates and revocation lists
|| immediate issuance of service certificates for authorized requestors
|| queries directory based on DN of certificates
|| generates and submits a certificate signing request
|| retrieves signed certificate previously requested
|| renews existing person certificate (not host or service)
|| immediate issuance of multiple service certificates for authorized administrators (new with V2-3)
|| extra installation requirements for multi-cert-gridadmin (new with V2-3)
get http service certificate with cert-gridadmin
This example uses the gridadmin authorized certificate and key files in the default Globus location of ~/.globus/usercert.pem and ~/.globus/userkey.pem, and generates the service certificate files as http-myhostcert.pem
in the current working directory.
[user@client ~]$ cert-gridadmin --host dlolson.lbl.gov --service http --email firstname.lastname@example.org \
--affiliation osg --vo osg --prefix http-myhost
checking CertLib version, V2-7, This is the latest version, released 18 May 2009.
Generating a 2048 bit RSA private key
writing new private key to './http-myhostkey.pem'
The next prompt should be for the passphrase for your
personal certificate which has been authorized to access the
gridadmin interface for this CA.
Enter PEM pass phrase:
Your new certificate and key files are ./http-myhostcert.pem ./http-myhostkey.pem
move and rename them as you wish but be sure to protect the
key since it is not encrypted and password protected.
[user@client ~]$ ls -l
-rw-rw-rw- 1 user group 1497 Aug 3 17:23 http-myhostcert.pem
-rw------- 1 user group 1675 Aug 3 17:23 http-myhostkey.pem
[user@client ~]$ openssl x509 -in http-myhostcert.pem -noout -subject -issuer -dates -serial
issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
notBefore=Aug 4 00:23:41 2009 GMT
notAfter=Aug 4 00:23:41 2010 GMT
web proxy variables at BNL
These environment variables are necessary at the RCF/ACF at BNL (on 19 Mar 2007).