Grid Certificate Renewal

A page detailing how grid certificates are renewed for grid resources. These instructions should not be followed for user certificates!

General Procedure

  1. Locate the hostcert.pem and hostkey.pem files on the grid node.
  2. Convert with the command openssl -pkcs12 -export -in hostcert.pem -inkey hostkey.pem -out cert.p12.
  3. Transfer the .p12 file to local file system (ie epdt82)
  4. Import certificate into mozilla. Note that multiple profiles (Tools -> Switch Profiles) can be used to manage multiple certificates!
  5. Renew the certificate at https://ca-ra.grid-support.ac.uk

Note that when prompted, the same password is used to protect certificates as is used to log onto the appropriate node!

  1. Once renewed, export the new p12 certificate from the browser
  2. Convert the p12 file to pem format:

openssl pkcs12 -in cert.p12 -clcerts -nokeys -out hostcert.pem
openssl pkcs12 -nodes -in cert.p12 -nocerts -out hostkey.pem

  1. Copy the pem files to the appropriate locations on the grid nodes.

Certificate Locations:

epgce2

Filename OwnerSorted ascending Group Permissions
/home/glite/.certs/hostkey.pem glite glite 400
/home/glite/.certs/hostcert.pem glite glite 644
/etc/grid-security/hostkey.pem root root 400
/etc/grid-security/hostcert.pem root root 644

epgce3

Filename Owner Group Permissions
/etc/grid-security/hostkey.pem root root 400
/etc/grid-security/hostcert.pem root root 644
/home/glite/.certs/hostkey.pem glite glite 400
/home/glite/.certs/hostcert.pem glite glite 644

epgmo1

Filename Owner Group Permissions
/etc/grid-security/hostkey.pem root root 400
/etc/grid-security/hostcert.pem root root 644
/etc/tomcat5/hostkey.pem tomcat tomcat 400
/etc/tomcat5/hostcert.pem tomcat tomcat 644
/etc/grid-security/lfcmgr/lfckey.pem lfcmgr lfcmgr 400
/etc/grid-security/lfcmgr/lfccert.pem lfcmgr lfcmgr 644
/opt/glite/var/rgma/.certs/hostkey.pem rgma rgma 400
/opt/glite/var/rgma/.certs/hostcert.pem rgma rgma 644

The public and private keys of ce1-4 and se1 appear in /data1/grid/certs/_hostname_/host_(cert || key)_.pem, belonging to root.

epgsr1

Filename Owner Group Permissions
/etc/grid-security/hostkey.pem root root 400
/etc/grid-security/hostcert.pem root root 644
/etc/grid-security/dpmmgr/dpmkey.pem dpmmgr dpmmgr 400
/etc/grid-security/dpmmgr/dpmcert.pem dpmmgr dpmmgr 644
/home/edginfo/.globus/userkey.pem edginfo edginfo 400
/home/edginfo/.globus/usercert.pem edginfo edginfo 644
/home/edguser/.globus/userkey.pem edguser edguser 400
/home/edguser/.globus/usercert.pem edguser edguser 644

-- ChristopherCurtis - 24 Jul 2009


This topic: Computing > WebHome > LocalGridInternals > CertificateRenewal
Topic revision: r5 - 02 Sep 2009 - _47C_61UK_47O_61eScience_47OU_61Birmingham_47L_61ParticlePhysics_47CN_61christopher_32curtis
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback