Certificate Scripts package

Please note: This documentation is for OSG 1.2. While we still provide critical security updates for OSG Software 1.2, we recommend you use OSG Software 3 for any new or updated installations. We are considering May 31, 2013 as possible OSG 1.2 End of Life (EOL).

Review Passed
by JamesBarlow
by AnandPadmanabhan

About This Document

This the home page for documenting the cert-scripts package that provides a command-line interface to the DOEGrids CA website and some additional utilities for dealing with X509 certificates. This package was developed originally by the PPDG project and is now maintained by the OSG RA.

As an alternative to the web browser interface, these scripts are contributed to the DOEGrids PKI to allow a command-line interface to the certificate authority for submitting certificate requests, retrieving signed certificates, renewing certificates, directory lookup of existing certificates, and checking the remaining lifetime of certificates and certificate revocation lists. They work directly with the PEM format files used by Globus. These are perl scripts and bash shell scripts (some awk), depend upon openssl, ldapsearch and the perl LWP:: module with SSL support. Click on the File link below for the usage description of the script, or to download the tar file package containing the scripts. These scripts have been tested for work with VDT 1.1.2 and 1.3.1. They are included with VDT, starting with 1.3.1.

Release notes are included in the README file linked below.

Man Pages

File Description
README describes the package, includes release notes
cert-check-time checks lifetime of certificates and revocation lists
cert-gridadmin immediate issuance of service certificates for authorized requestors
cert-lookup queries directory based on DN of certificates
cert-request generates and submits a certificate signing request
cert-retrieve retrieves signed certificate previously requested
cert-renew renews existing person certificate (not host or service)
multi-cert-gridadmin immediate issuance of multiple service certificates for authorized administrators (new with V2-3)
InstallationNotes.txt extra installation requirements for multi-cert-gridadmin (new with V2-3)


get http service certificate with cert-gridadmin

This example uses the gridadmin authorized certificate and key files in the default Globus location of ~/.globus/usercert.pem and ~/.globus/userkey.pem, and generates the service certificate files as http-myhostcert.pem and http-myhostkey.pem in the current working directory.

[user@client ~]$ cert-gridadmin --host dlolson.lbl.gov --service http --email dlolson@lbl.gov \
   --affiliation osg --vo osg --prefix http-myhost
checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
Generating a 2048 bit RSA private key
writing new private key to './http-myhostkey.pem'
The next prompt should be for the passphrase for your
personal certificate which has been authorized to access the
gridadmin interface for this CA.
Enter PEM pass phrase:
Your new certificate and key files are ./http-myhostcert.pem ./http-myhostkey.pem
move and rename them as you wish but be sure to protect the
key since it is not encrypted and password protected.

[user@client ~]$ ls -l
total 16
-rw-rw-rw- 1 user  group 1497 Aug  3 17:23 http-myhostcert.pem
-rw------- 1 user  group 1675 Aug  3 17:23 http-myhostkey.pem

[user@client ~]$ openssl x509 -in http-myhostcert.pem -noout -subject -issuer -dates -serial
subject= /DC=org/DC=doegrids/OU=Services/CN=http/dlolson.lbl.gov
issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
notBefore=Aug  4 00:23:41 2009 GMT
notAfter=Aug  4 00:23:41 2010 GMT


web proxy variables at BNL

These environment variables are necessary at the RCF/ACF at BNL (on 19 Mar 2007).
  • http_proxy=
  • https_proxy=http://squid.sec.bnl.local:3128


PM2RPM?_TASK = CE RobertEngel 28 Aug 2011 - 05:49
PM2RPM?_TASK = SE RobertEngel 28 Aug 2011 - 05:49
PM2RPM?_TASK = SECURITY RobertEngel 28 Aug 2011 - 05:49

Topic attachments
I Attachment Action Size Date Who Comment
ziptgz cert-scripts-V2-3-rev22.tgz manage 438.3 K 29 May 2007 - 07:34 UnknownUser V2-3, include multi-cert-gridadmin
ziptgz cert-scripts-V2-4.rev40.tgz manage 421.9 K 06 Jul 2007 - 18:43 UnknownUser V2-4, matches DOEGrids RHCS7.1 released 5 July 2007
ziptgz cert-scripts-V2-5.rev44.tgz manage 427.9 K 23 Aug 2007 - 21:30 UnknownUser V2-5, bug fixes to multi-cert-gridadmin, add p12 export
ziptgz cert-scripts-V2-6.rev50.tgz manage 457.4 K 13 Feb 2008 - 23:26 UnknownUser V2-6, fixes NSCertType? SSL Server bug in cert-gridadmin
ziptgz cert-scripts-V2-7-rev59.tgz manage 461.3 K 18 May 2009 - 22:01 UnknownUser V2-7, changes VO list from VORS to OIM, adds file input for commandline parameters
ziptar cert-scripts.V1-8.tar manage 110.0 K 05 Jul 2006 - 17:54 UnknownUser V1-8 source - update README
ziptar cert-scripts.V1-8a.tar manage 110.0 K 20 Jul 2006 - 21:29 UnknownUser V1-8a. revision to V1-8, requires -name in cert-request
ziptar cert-scripts.V1-9.tar manage 120.0 K 06 Sep 2006 - 20:00 UnknownUser V1-9 source
ziptar cert-scripts.V2-0.tar manage 120.0 K 05 Oct 2006 - 22:49 UnknownUser V2-0, now with live RA/VO information
ziptar cert-scripts.V2-1.tar manage 120.0 K 20 Nov 2006 - 21:24 UnknownUser V2-1 source, fixes for SSL_Server usage bit
ziptar cert-scripts.V2-2.tar manage 120.0 K 20 Mar 2007 - 00:08 UnknownUser V2-2 source, add http_proxy to all scripts
Topic revision: r33 - 15 Feb 2012 - 21:00:05 - KyleGross
Hello, TWikiGuest


Installation and Update Tools


Compute Element

Storage Element

Other Site Services

VO Management

Software and Caches

Central OSG Services

Additional Information

FaceBook_32x32.png Facebook

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..