Certificate renewal

From Begrid Wiki
Revision as of 09:12, 9 June 2021 by Maintenance script (talk | contribs) (Created page with " To request a USER certificate, please look here == Request a Server Certificate (or renewal) == Certificates should be generated on the CLI using op...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

To request a USER certificate, please look here

Request a Server Certificate (or renewal)

Certificates should be generated on the CLI using openssl commands.

  • Do not change the machine certificate DN

I. Certificate request

I.1. Generating a certificate request on CLI

  • First you will need to generate a RSA key-pair (here 2048 bit):
openssl genrsa -out host_key.pem 2048
  • Next generate a certificate request with this key-pair. We show 2 possibilities:
    • This is the easiest way: you supply the subject line to the request, so you won't have to fill in the questions. You can copy the subject from the old certificate. To find the subject line, view the old certificate with "openssl x509 -in oldhostcert.pem -text"
openssl req -new -key host_key.pem -subj /C=BE/O=BEGRID/OU=BEgrid/OU=BELNET/CN=voms.begrid.be/emailAddress=begrid@belnet.be -out host_req.pem
    • The normal command will ask you some questions to generate the subject line. But this requires you to have openssl configured properly!
openssl req -new –key host_key.pem –out host_req.pem

I.2. Submit the request to the RA

  • Go to the BEgrid CA homepage (https://gridra.belnet.be/EE/)
  • On the left choose "Request a certificate"
  • Select 'Server' as profile and Next
  • Browse to the certificate request you have made before (host_req.pem) and Send
  • Verify if the request is correct and Send

The request will be send to the RA for validation. Once the RA has signed the request, you will receive an email with the certificate in several formats.

You now have all the files you need:

Your key-pair generated on the CLI: host_key.pem 
Your signed certificate received by email: host_begrid_be.pem

II. Installing certificates on servers

VOMS server example

Last time I changed our VOMS certificate, I changed it using Quattor. On the quattor client I inserted the certificate and key in /opt/CB5/private/belnet-glite-30/private/voms.begrid.be.tpl. AND !! in Eclipse I had to change the certificate in /cfg/sites/begrid/vo/certs/belnet-voms.tpl

Then on Quattor client run ./runcheck and everything should update.

Check on Voms server if the files where updated. Other servers (UI, wms, ...) should have the new cert in /etc/grid-security/vomsdir/voms.begrid.be.cert.ncm-vomsclient

Manually (Didn't try it myself):

  • Update the required files with the public key on the following folders:
  • /etc/grid-security/
  • /usr/share/tomcat5/.certs/
  • /opt/glite/etc/rgma/.certs/

Set correct permissions for /etc/grid-security/hostkey.pem (400)

  • If the DN was changed, check the files here: /var/glite/etc/voms-admin/voname/vomses

on the UI

  • /etc/grid-security/vomsdir/voms.begrid.be (with your VOMS server name)
  • /opt/edg/etc/vomses/voname-domain.name
=== For those using Quattor: ===

For VOMS, look above.

  • Update the new certificate in the corresponding server template locate in the private section of your local BEgrid client

e.g. less /opt/CB5/private/belnet-glite-31/private/ce01.begrid.be.tpl

template private/ce01.begrid.be;

include components/filecopy/config;

## certificate here
variable CONTENTS = <<EOF;

Bag Attributes
    friendlyName: ce01.begrid.be's BELNET ID
    localKeyID: A5 83 DB 57 41 8A 3B 05 C2 1C 96 43 81 03 B7 B4 2E 6A 37 D2
subject=/C=BE/O=BEGRID/OU=BEgrid/OU=BELNET/CN=ce01.begrid.be
issuer=/C=BE/O=BELNET/OU=BEGrid/CN=BEGrid CA/emailAddress=gridca@belnet.be
-----BEGIN CERTIFICATE-----



'''copy the hostcert.pem HERE'''



-----END CERTIFICATE-----
EOF
"/software/components/filecopy/services" =
  npush(escape("/etc/grid-security/hostcert.pem"),
        nlist("config",CONTENTS,
              "restart","ls -l /etc/grid-security/hostcert.pem",
              "perms","0644"));

variable CONTENTS = <<EOF;
Bag Attributes
    friendlyName: ce01.begrid.be's BELNET ID
    localKeyID: A5 83 DB 57 41 8A 3B 05 C2 1C 96 43 81 03 B7 B4 2E 6A 37 D2
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----


'''copy the hostkey.pem HERE'''


-----END RSA PRIVATE KEY-----
EOF
"/software/components/filecopy/services" =
  npush(escape("/etc/grid-security/hostkey.pem"),
        nlist("config",CONTENTS,
              "restart","ls -l /etc/grid-security/hostkey.pem",
              "perms","0400"));
  • Run "runcheck"

Check that all went well Error messages in /var/log/ncm-cdispd.log

Run

ccm-fetch

Then

ncm-ncd --co all

Deployment of signed certificates

On the node(s) you now need to run ccm-fetch and ncm-ncd --co sindes . Your grid certificate should now be sucessfully deployed in /etc/grid-security.

on RB /etc/grid-security/vomsdir/voms.begrid.be.cert.ncm-vomsclient

Back to Servers


Template:TracNotice