====== GROW Certificates ======
===== GROW Certificate Information =====
Here is a list of the certificates that we use here at GROW.
==== grow-grid.its.uiowa.edu ====
^ File Name ^ Location ^ Permissions ^ Owner ^
| hostcert.pem | /etc/grid-locations | 444 | root:root |
| hostkey.pem | /etc/grid-locations | 400 | root:root |
| containercert.pem | /etc/grid-locations | 444 | daemon:daemon |
| containerkey.pem | /etc/grid-locations | 400 | daemon:daemon |
| rsvrcert.pem | /etc/grid-locations/rsv | 444 | rsv:users |
| rsvkey.pem | /etc/grid-locations/rsv | 400 | rsv:users |
| httpcert.pem | /etc/grid-locations/http | 444 | tomcat:daemon |
| httpkey.pem | /etc/grid-locations/http | 400 | tomcat:daemon |
| bestmancert.pem | /etc/grid-locations/bestman | 444 | bestman:root |
| bestmankey.pem | /etc/grid-locations/bestman | 400 | bestman:root |
==== dynes-fdt.physics.uiowa.edu ====
^ File Name ^ Location ^ Permissions ^ Owner ^
| dynes-fdt.physics.uiowa.educert.pem | /home/admin | 444 | admin:admin |
| dynes-fdt.physics.uiowa.edukey.pem | /home/admin | 400 | admin:admin |
==== dynes-idc.net.uiowa.edu ====
^ File Name ^ Location ^ Permissions ^ Owner ^
| dynes-idc.net.uiowa.educert.pem | /home/admin | 444 | admin:admin |
| dynes-idc.net.uiowa.edukey.pem | /home/admin | 400 | admin:admin |
The Certificate Scripts Package must be installed in order to install certificates! Check [[https://www.opensciencegrid.org/bin/view/Documentation/Release3/GetHostServiceCertificates#Requirements|here]] for requirements before continuing.
===== Requesting Certificates =====
[[https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/GetHostServiceCertificates|Here]] are the official instructions to retrieve host certificates.
The cert-request script will prompt you for for:
* Reason for request
* Administrators name
* Full hostname of server
* Administrators email
* Phone number
* Choose a registration authority (Choose OSG)
* Choose a VO (Choose CMS or OSG)
* Confirms that you are authorized to install the certificate on the host.
If the script runs without error, you will then be given a certificate request id which can be used to identify the response email to a particular certificate request. You will also have two files in your current directory (where hostname is replaced with the hostname you supplied to the script):
* hostnamekey.pem
* hostname.req
Now you must wait for a response from DOEGrids which will contain a serial code needed to retrieve the certificate.
Certificate renewal is the same process as requesting a new certificate.
===== View Certificate Information =====
Be sure to change "hostcert.pem" to the name and location of the certificate you wish to work with.
==== openssl method ====
You can view the expiration of certificates by running this command.
[user@grow-grid grid-security]# openssl x509 -in /etc/grid-security/hostcert.pem -subject -issuer -dates -noout
subject= /DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu
issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
notBefore=Jul 14 14:57:09 2011 GMT
notAfter=Jul 13 14:57:09 2012 GMT
==== grid-cert-info method ====
This method requires the Certificate Scripts Package to be installed
[user@grow-grid grid-security]# grid-cert-info -file ./hostcert.pem
====== Host Certificate ======
===== Request Host =====
Submit a request for a host certificate.
[root@grow-grid grid-security]# cert-request -ou s -dir . -label grow-grid.its.uiowa.edu
===== Retrieve Host =====
Once you have a reply from DOEGrids with a serial number in 0xYYYY format you can retrieve the certificate by running this command.
[root@grow-grid grid-security]# cert-retrieve -serial 0xYYYY -label grow-grid.its.uiowa.edu -dir . -prefix grow-grid.its.uiowa.edu
%%
checking CertLib version, V2-7, This is the latest version, released 18 May 2009.
using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0xYYYY
Checking that the certificate and ./grow-grid.its.uiowa.edukey.pem match
writing RSA key
./grow-grid.its.uiowa.educert.pem and ./grow-grid.its.uiowa.edukey.pem now contain your new credential
%%
===== Verify Host =====
Check to make sure the certificate matches your machine hostname.
[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.educert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=rsv/grow-grid.its.uiowa.edu
Now execute:
[root@grow-grid grid-security]# hostname -f
grow-grid.its.uiowa.edu
===== Edit Host =====
Change the certificate and key names to hostcert.pem and hostkey.pem and edit the file permissions.
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.educert.pem /etc/grid-security/hostcert.pem
[root@grow-grid ~]# chmod 444 /etc/grid-security/hostcert.pem
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edukey.pem /etc/grid-security/hostkey.pem
[root@grow-grid ~]# chmod 400 /etc/grid-security/hostkey.pem
====== Container Certificate ======
We will use the host certificate as the container certificate. This is the only instance where using a copy of the host certificate is allowed.
[root@grid-0-0 ~]# cp /etc/grid-security/grow-grid.its.uiowa.educert.pem /etc/grid-security/containercert.pem
[root@grid-0-0 ~]# cp /etc/grid-security/grow-grid.its.uiowa.edukey.pem /etc/grid-security/containerkey.pem
Change ownership on the container certificate.
[root@grid-0-0 ~]# chown daemon:daemon /etc/grid-security/containercert.pem
[root@grid-0-0 ~]# chown daemon:daemon /etc/grid-security/containerkey.pem
====== HTTP Service Certificate ======
===== Request HTTP =====
[root@grow-grid grid-security]# cert-request -ou s -service http -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-http
===== Retrieve HTTP =====
[root@grow-grid grid-security]# cert-retrieve -serial 0xYYYYY -label grow-grid.its.uiowa.edu-http -dir . -prefix grow-grid.its.uiowa.edu-http
checking CertLib version, V2-7, This is the latest version, released 18 May 2009.
using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11526
Checking that the certificate and ./grow-grid.its.uiowa.edu-httpkey.pem match
writing RSA key
previous ./grow-grid.its.uiowa.edu-httpkey.pem exists
previous ./grow-grid.its.uiowa.edu-httpkey.pem exists, overwrite? (N,y): y
mv: `./grow-grid.its.uiowa.edu-httpkey.pem' and `./grow-grid.its.uiowa.edu-httpkey.pem' are the same file
./grow-grid.its.uiowa.edu-httpcert.pem and ./grow-grid.its.uiowa.edu-httpkey.pem now contain your new credential
===== Verifiy HTTP =====
Check to make sure the certificate matches your machine hostname.
[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-httpcert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=http/grow-grid.its.uiowa.edu
Now execute:
[root@grow-grid grid-security]# hostname -f
grow-grid.its.uiowa.edu
The host names in red above should match.
===== Edit HTTP =====
Change the certificate and key names to httpcert.pem and httpkey.pem and edit the file permissions and ownerships.
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-httpcert.pem /etc/grid-security/http/httpcert.pem
[root@grow-grid ~]# chmod 444 /etc/grid-security/http/httpcert.pem
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-httpkey.pem /etc/grid-security/http/httpkey.pem
[root@grow-grid ~]# chmod 400 /etc/grid-security/http/httpkey.pem
[root@grow-grid ~]# chown tomcat:daemon /etc/grid-security/http/http*
====== RSV Service Certificate ======
===== Request RSV =====
[root@grow-grid grid-security]# cert-request -ou s -service rsv -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-rsv
===== Retrieve RSV =====
Once you have a reply from DOEGrids with a serial number in 0xYYYY format you can retrieve the certificate by running this command.
[root@grow-grid grid-security]# cert-retrieve -serial 0xYYYY -label grow-grid.its.uiowa.edu-rsv -dir . -prefix grow-grid.its.uiowa.edu-rsv
%%checking CertLib version, V2-7, This is the latest version, released 18 May 2009.
using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11507
Checking that the certificate and ./grow-grid.its.uiowa.edu-rsvkey.pem match
writing RSA key
previous ./grow-grid.its.uiowa.edu-rsvkey.pem exists
previous ./grow-grid.its.uiowa.edu-rsvkey.pem exists, overwrite? (N,y): y
mv: `./grow-grid.its.uiowa.edu-rsvkey.pem' and `./grow-grid.its.uiowa.edu-rsvkey.pem' are the same file
./grow-grid.its.uiowa.edu-rsvcert.pem and ./grow-grid.its.uiowa.edu-rsvkey.pem now contain your new credential
%%
===== Verify RSV =====
Check to make sure the certificate matches your machine hostname.
[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-rsvcert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu
Now execute:
[root@grow-grid grid-security
grow-grid.its.uiowa.edu
The host names in red above should match.
===== Edit RSV =====
Change the certificate and key names to rsvcert.pem and rsvkey.pem, place them in /etc/grid-security/rsv, and edit the file ownership and permissions.
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-rsvcert.pem /etc/grid-security/rsv/rsvcert.pem
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-rsvkey.pem /etc/grid-security/rsv/rsvkey.pem
[root@grow-grid ~]# chmod 444 /etc/grid-security/rsv/rsvcert.pem
[root@grow-grid ~]# chmod 400 /etc/grid-security/rsv/rsvkey.pem
[root@grow-grid grid-security]# chown rsv:root /etc/grid-security/rsv/rsvkey.pem
[root@grow-grid grid-security]# chown rsv:root /etc/grid-security/rsv/rsvcert.pem
====== Bestman Service Certificate ======
The bestman service certificate will be used by the bestman user and stored at grow-grid.its.uiowa.edu:/etc/grid-security/bestman.
===== Request Bestman =====
[root@grow-grid bestman]# cert-request -ou s -service bestman -host grow-grid.its.uiowa.edu -label bestman-grow-grid.its.uiowa.edu-bestman
===== Retrieve Bestman =====
Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email.
[root@grow-grid grid-security]# cert-retrieve -serial 0xYYYYY -label grow-grid.its.uiowa.edu-bestman -dir . -prefix grow-grid.its.uiowa.edu-bestman
===== Verify Bestman =====
Check to make sure the certificate matches your machine hostname.
[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-bestmancert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=bestman/grow-grid.its.uiowa.edu
Now execute:
[root@grow-grid grid-security]# hostname -f
grow-grid.its.uiowa.edu
The host names in red above should match.
===== Edit Bestman =====
Move the certificate and key to the bestman directory and change the owner/permissions as such:
[root@grow-grid grid-security]# mv grow-grid.its.uiowa.edu-bestmancert.pem bestman/bestmancert.pem
[root@grow-grid grid-security]# mv grow-grid.its.uiowa.edu-bestmankey.pem bestman/bestmankey.pem
[root@grow-grid grid-security]# chown bestman:root bestman/bestman*
[root@grow-grid bestman]# chmod 400 /etc/grid-security/bestman/bestmankey.pem
[root@grow-grid bestman]# chmod 444 /etc/grid-security/bestman/bestmancert.pem
====== DYNES FDT Host Certificate ======
Here is how to view the certificate information if it already exists:
[admin@dynes-fdt ~]$ openssl x509 -in /home/admin/dynes-fdt.physics.uiowa.educert.pem -text -noout
===== Request FDT Host =====
I am using grow-grid to request certificates for the dynes equipment in hopes that I will not have to install OSG software on the DYNES equipment.
Submit a request for a certificate.
[user@grow-grid ~]# cert-request -ou s -dir . -label dynes-fdt.physics.uiowa.edu
===== Retrieve FDT Host =====
Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email.
[dsquires@grow-grid ~]$ cert-retrieve -serial 0xYYYYY -label dynes-fdt.physics.uiowa.edu -dir . -prefix dynes-fdt.physics.uiowa.edu
%%checking CertLib version, V2-7, This is the latest version, released 18 May 2009.
using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11508
Checking that the certificate and ./dynes-fdt.physics.uiowa.edukey.pem match
writing RSA key
previous ./dynes-fdt.physics.uiowa.edukey.pem exists
previous ./dynes-fdt.physics.uiowa.edukey.pem exists, overwrite? (N,y): y
mv: `./dynes-fdt.physics.uiowa.edukey.pem' and `./dynes-fdt.physics.uiowa.edukey.pem' are the same file
./dynes-fdt.physics.uiowa.educert.pem and ./dynes-fdt.physics.uiowa.edukey.pem now contain your new credential
%%
===== Verify FDT Host =====
Check to make sure the certificate matches your machine hostname.
[user@grow-grid ~]$ grid-cert-info -file ./dynes-idc.net.uiowa.educert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=dynes-fdt-physics.uiowa.edu
Now execute:
[admin@dynes-fdt ~]$ hostname -f
dynes-fdt.physics.uiowa.edu
The host names in red above should match.
===== Edit FDT Host =====
Move the certificate and key to the FDT server. These files will be kept in /home/admin.
[dsquires@grow-grid ~]$ scp dynes-fdt.physics.uiowa.edu* admin@dynes-fdt.physics.uiowa.edu:/home/admin
DYNES Authorized Use Only
dynes-fdt.physics.uiowa.educert.pem 100% 1574 1.5KB/s 00:00
dynes-fdt.physics.uiowa.edukey.pem 100% 1675 1.6KB/s 00:00
Verify that the key and certificate are owned by admin:admin and that the permissions are 444 for dynes-fdt.physics.uiowa.educert.pem, and 400 for dynes-fdt.physics.uiowa.edukey.pem.
[admin@dynes-fdt ~]$ ls -lh
total 8.0K
-rw-r--r-- 1 admin admin 1.6K Jul 3 16:41 dynes-fdt.physics.uiowa.educert.pem
-rw------- 1 admin admin 1.7K Jul 3 16:41 dynes-fdt.physics.uiowa.edukey.pem
====== DYNES IDC Host Certificate ======
Here is how to view the certificate information if it already exists:
[admin@dynes-idc ~]$ openssl x509 -in /home/admin/dynes-idc-vm1.net.uiowa.educert.pem -text -noout
===== Request IDC Host =====
I am using grow-grid to request certificates for the dynes equipment in hopes that I will not have to install OSG software on the DYNES equipment.
Request the certificate.
[user@grow-grid ~]# cert-request -ou s -dir . -label dynes-idc.net.uiowa.edu
===== Retrieve IDC Host =====
Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email.
[user@grow-grid ~]$ cert-retrieve -serial 0xYYYYY -label dynes-idc-vm1.net.uiowa.edu -dir . -prefix dynes-idc-vm1.net.uiowa.edu
%%checking CertLib version, V2-7, This is the latest version, released 18 May 2009.
using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11509
Checking that the certificate and ./dynes-idc-vm1.net.uiowa.edukey.pem match
writing RSA key
previous ./dynes-idc-vm1.net.uiowa.edukey.pem exists
previous ./dynes-idc-vm1.net.uiowa.edukey.pem exists, overwrite? (N,y): y
mv: `./dynes-idc-vm1.net.uiowa.edukey.pem' and `./dynes-idc-vm1.net.uiowa.edukey.pem' are the same file
./dynes-idc-vm1.net.uiowa.educert.pem and ./dynes-idc-vm1.net.uiowa.edukey.pem now contain your new credential
%%
===== Verify IDC Host =====
Check to make sure the certificate matches your machine hostname.
[user@grow-grid ~]$ grid-cert-info -file ./dynes-idc.net.uiowa.educert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=dynes-idc-vm1.net.uiowa.edu
Now execute this command on the IDC server:
[admin@dynes-idc ~]$ hostname -f
dynes-idc-vm1.net.uiowa.edu
The host names in red above should match.
===== Edit IDC Host =====
Move the certificate and key to the IDC server. These files will be kept in /home/admin.
[user@grow-grid ~]$ scp dynes-idc-vm1.net.uiowa.edu* admin@dynes-idc.net.uiowa.edu:/home/admin
DYNES Authorized Use Only
dynes-idc-vm1.net.uiowa.educert.pem 100% 1562 1.5KB/s 00:00
dynes-idc-vm1.net.uiowa.edukey.pem 100% 1675 1.6KB/s 00:00
Verify that the key and certificate are owned by admin:admin and that the permissions are 444 for dynes-idc-vm1.net.uiowa.educert.pem, and 400 for dynes-idc-vm1.net.uiowa.edukey.pem.
[admin@dynes-idc ~]$ ls -lh
total 8.0K
-rw-r--r-- 1 admin admin 1.6K Jul 3 15:37 dynes-idc-vm1.net.uiowa.educert.pem
-rw------- 1 admin admin 1.7K Jul 3 15:37 dynes-idc-vm1.net.uiowa.edukey.pem
====== Notes ======
====== Contact Info ======
This Dokuwiki page is maintained by:\\
Daniel Squires\\
University of Iowa\\
Department of Computer Science\\
Email: