Certificate renewal
To request a USER certificate, please look here
Request a Server Certificate (or renewal)
Certificates should be generated on the CLI using openssl commands.
- Do not change the machine certificate DN
I. Certificate request
I.1. Generating a certificate request on CLI
- First you will need to generate a RSA key-pair (here 2048 bit):
openssl genrsa -out host_key.pem 2048
- Next generate a certificate request with this key-pair. We show 2 possibilities:
- This is the easiest way: you supply the subject line to the request, so you won't have to fill in the questions. You can copy the subject from the old certificate. To find the subject line, view the old certificate with "openssl x509 -in oldhostcert.pem -text"
openssl req -new -key host_key.pem -subj /C=BE/O=BEGRID/OU=BEgrid/OU=BELNET/CN=voms.begrid.be/emailAddress=begrid@belnet.be -out host_req.pem
- The normal command will ask you some questions to generate the subject line. But this requires you to have openssl configured properly!
openssl req -new –key host_key.pem –out host_req.pem
I.2. Submit the request to the RA
- Go to the BEgrid CA homepage (https://gridra.belnet.be/EE/)
- On the left choose "Request a certificate"
- Select 'Server' as profile and Next
- Browse to the certificate request you have made before (host_req.pem) and Send
- Verify if the request is correct and Send
The request will be send to the RA for validation. Once the RA has signed the request, you will receive an email with the certificate in several formats.
You now have all the files you need:
Your key-pair generated on the CLI: host_key.pem
Your signed certificate received by email: host_begrid_be.pem
II. Installing certificates on servers
VOMS server example
Last time I changed our VOMS certificate, I changed it using Quattor. On the quattor client I inserted the certificate and key in /opt/CB5/private/belnet-glite-30/private/voms.begrid.be.tpl. AND !! in Eclipse I had to change the certificate in /cfg/sites/begrid/vo/certs/belnet-voms.tpl
Then on Quattor client run ./runcheck and everything should update.
Check on Voms server if the files where updated. Other servers (UI, wms, ...) should have the new cert in /etc/grid-security/vomsdir/voms.begrid.be.cert.ncm-vomsclient
Manually (Didn't try it myself):
- Update the required files with the public key on the following folders:
- /etc/grid-security/
- /usr/share/tomcat5/.certs/
- /opt/glite/etc/rgma/.certs/
Set correct permissions for /etc/grid-security/hostkey.pem (400)
- If the DN was changed, check the files here: /var/glite/etc/voms-admin/voname/vomses
on the UI
- /etc/grid-security/vomsdir/voms.begrid.be (with your VOMS server name)
- /opt/edg/etc/vomses/voname-domain.name
=== For those using Quattor: ===
For VOMS, look above.
- Update the new certificate in the corresponding server template locate in the private section of your local BEgrid client
e.g. less /opt/CB5/private/belnet-glite-31/private/ce01.begrid.be.tpl
template private/ce01.begrid.be;
include components/filecopy/config;
## certificate here
variable CONTENTS = <<EOF;
Bag Attributes
friendlyName: ce01.begrid.be's BELNET ID
localKeyID: A5 83 DB 57 41 8A 3B 05 C2 1C 96 43 81 03 B7 B4 2E 6A 37 D2
subject=/C=BE/O=BEGRID/OU=BEgrid/OU=BELNET/CN=ce01.begrid.be
issuer=/C=BE/O=BELNET/OU=BEGrid/CN=BEGrid CA/emailAddress=gridca@belnet.be
-----BEGIN CERTIFICATE-----
'''copy the hostcert.pem HERE'''
-----END CERTIFICATE-----
EOF
"/software/components/filecopy/services" =
npush(escape("/etc/grid-security/hostcert.pem"),
nlist("config",CONTENTS,
"restart","ls -l /etc/grid-security/hostcert.pem",
"perms","0644"));
variable CONTENTS = <<EOF;
Bag Attributes
friendlyName: ce01.begrid.be's BELNET ID
localKeyID: A5 83 DB 57 41 8A 3B 05 C2 1C 96 43 81 03 B7 B4 2E 6A 37 D2
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
'''copy the hostkey.pem HERE'''
-----END RSA PRIVATE KEY-----
EOF
"/software/components/filecopy/services" =
npush(escape("/etc/grid-security/hostkey.pem"),
nlist("config",CONTENTS,
"restart","ls -l /etc/grid-security/hostkey.pem",
"perms","0400"));
- Run "runcheck"
Check that all went well Error messages in /var/log/ncm-cdispd.log
Run
ccm-fetch
Then
ncm-ncd --co all
Deployment of signed certificates
On the node(s) you now need to run ccm-fetch and ncm-ncd --co sindes . Your grid certificate should now be sucessfully deployed in /etc/grid-security.
on RB /etc/grid-security/vomsdir/voms.begrid.be.cert.ncm-vomsclient
