Table of Contents

GROW Certificates

GROW Certificate Information

Here is a list of the certificates that we use here at GROW.

grow-grid.its.uiowa.edu

File Name Location Permissions Owner
hostcert.pem /etc/grid-locations 444 root:root
hostkey.pem /etc/grid-locations 400 root:root
containercert.pem /etc/grid-locations 444 daemon:daemon
containerkey.pem /etc/grid-locations 400 daemon:daemon
rsvrcert.pem /etc/grid-locations/rsv 444 rsv:users
rsvkey.pem /etc/grid-locations/rsv 400 rsv:users
httpcert.pem /etc/grid-locations/http 444 tomcat:daemon
httpkey.pem /etc/grid-locations/http 400 tomcat:daemon
bestmancert.pem /etc/grid-locations/bestman 444 bestman:root
bestmankey.pem /etc/grid-locations/bestman 400 bestman:root

dynes-fdt.physics.uiowa.edu

File Name Location Permissions Owner
dynes-fdt.physics.uiowa.educert.pem /home/admin 444 admin:admin
dynes-fdt.physics.uiowa.edukey.pem /home/admin 400 admin:admin

dynes-idc.net.uiowa.edu

File Name Location Permissions Owner
dynes-idc.net.uiowa.educert.pem /home/admin 444 admin:admin
dynes-idc.net.uiowa.edukey.pem /home/admin 400 admin:admin

The Certificate Scripts Package must be installed in order to install certificates! Check here for requirements before continuing.

Requesting Certificates

Here are the official instructions to retrieve host certificates. The cert-request script will prompt you for for:

If the script runs without error, you will then be given a certificate request id which can be used to identify the response email to a particular certificate request. You will also have two files in your current directory (where hostname is replaced with the hostname you supplied to the script):

Now you must wait for a response from DOEGrids which will contain a serial code needed to retrieve the certificate.

Certificate renewal is the same process as requesting a new certificate.

View Certificate Information

Be sure to change “hostcert.pem” to the name and location of the certificate you wish to work with.

openssl method

You can view the expiration of certificates by running this command. 

[user@grow-grid grid-security]# openssl x509 -in /etc/grid-security/hostcert.pem -subject -issuer -dates -noout
subject= /DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu
issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
notBefore=Jul 14 14:57:09 2011 GMT
notAfter=Jul 13 14:57:09 2012 GMT

grid-cert-info method

This method requires the Certificate Scripts Package to be installed 

[user@grow-grid grid-security]# grid-cert-info -file ./hostcert.pem

Host Certificate

Request Host

Submit a request for a host certificate. 

[root@grow-grid grid-security]# cert-request -ou s -dir . -label grow-grid.its.uiowa.edu

Retrieve Host

Once you have a reply from DOEGrids with a serial number in 0xYYYY format you can retrieve the certificate by running this command. 

[root@grow-grid grid-security]# cert-retrieve  -serial 0xYYYY -label grow-grid.its.uiowa.edu -dir . -prefix grow-grid.its.uiowa.edu

checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0xYYYY 
Checking that the certificate and ./grow-grid.its.uiowa.edukey.pem match
writing RSA key
./grow-grid.its.uiowa.educert.pem and ./grow-grid.its.uiowa.edukey.pem now contain your new credential

Verify Host

Check to make sure the certificate matches your machine hostname. 

[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.educert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=rsv/grow-grid.its.uiowa.edu

Now execute: 

[root@grow-grid grid-security]# hostname -f
grow-grid.its.uiowa.edu

Edit Host

Change the certificate and key names to hostcert.pem and hostkey.pem and edit the file permissions. 

[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.educert.pem /etc/grid-security/hostcert.pem
[root@grow-grid ~]# chmod 444 /etc/grid-security/hostcert.pem
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edukey.pem /etc/grid-security/hostkey.pem
[root@grow-grid ~]# chmod 400 /etc/grid-security/hostkey.pem

Container Certificate

We will use the host certificate as the container certificate. This is the only instance where using a copy of the host certificate is allowed. 

[root@grid-0-0 ~]# cp /etc/grid-security/grow-grid.its.uiowa.educert.pem /etc/grid-security/containercert.pem
[root@grid-0-0 ~]# cp /etc/grid-security/grow-grid.its.uiowa.edukey.pem /etc/grid-security/containerkey.pem

Change ownership on the container certificate. 

[root@grid-0-0 ~]# chown daemon:daemon /etc/grid-security/containercert.pem
[root@grid-0-0 ~]# chown daemon:daemon /etc/grid-security/containerkey.pem

HTTP Service Certificate

Request HTTP

[root@grow-grid grid-security]# cert-request -ou s -service http -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-http

Retrieve HTTP

[root@grow-grid grid-security]# cert-retrieve  -serial 0xYYYYY -label grow-grid.its.uiowa.edu-http -dir . -prefix grow-grid.its.uiowa.edu-http
checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11526
Checking that the certificate and ./grow-grid.its.uiowa.edu-httpkey.pem match
writing RSA key
 previous ./grow-grid.its.uiowa.edu-httpkey.pem exists
previous ./grow-grid.its.uiowa.edu-httpkey.pem exists, overwrite? (N,y): y
mv: `./grow-grid.its.uiowa.edu-httpkey.pem' and `./grow-grid.its.uiowa.edu-httpkey.pem' are the same file
./grow-grid.its.uiowa.edu-httpcert.pem and ./grow-grid.its.uiowa.edu-httpkey.pem now contain your new credential

Verifiy HTTP

Check to make sure the certificate matches your machine hostname. 

[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-httpcert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=http/grow-grid.its.uiowa.edu

Now execute: 

[root@grow-grid grid-security]# hostname -f
grow-grid.its.uiowa.edu
The host names in red above should match.

Edit HTTP

Change the certificate and key names to httpcert.pem and httpkey.pem and edit the file permissions and ownerships. 

[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-httpcert.pem /etc/grid-security/http/httpcert.pem
[root@grow-grid ~]# chmod 444 /etc/grid-security/http/httpcert.pem
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-httpkey.pem /etc/grid-security/http/httpkey.pem
[root@grow-grid ~]# chmod 400 /etc/grid-security/http/httpkey.pem
[root@grow-grid ~]# chown tomcat:daemon /etc/grid-security/http/http*

RSV Service Certificate

Request RSV

[root@grow-grid grid-security]# cert-request -ou s -service rsv -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-rsv

Retrieve RSV

Once you have a reply from DOEGrids with a serial number in 0xYYYY format you can retrieve the certificate by running this command. 

[root@grow-grid grid-security]# cert-retrieve  -serial 0xYYYY -label grow-grid.its.uiowa.edu-rsv -dir . -prefix grow-grid.its.uiowa.edu-rsv
checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11507
Checking that the certificate and ./grow-grid.its.uiowa.edu-rsvkey.pem match
writing RSA key
 previous ./grow-grid.its.uiowa.edu-rsvkey.pem exists
previous ./grow-grid.its.uiowa.edu-rsvkey.pem exists, overwrite? (N,y): y
mv: `./grow-grid.its.uiowa.edu-rsvkey.pem' and `./grow-grid.its.uiowa.edu-rsvkey.pem' are the same file
./grow-grid.its.uiowa.edu-rsvcert.pem and ./grow-grid.its.uiowa.edu-rsvkey.pem now contain your new credential

Verify RSV

Check to make sure the certificate matches your machine hostname. 

[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-rsvcert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu

Now execute: 

[root@grow-grid grid-security
grow-grid.its.uiowa.edu
The host names in red above should match.

Edit RSV

Change the certificate and key names to rsvcert.pem and rsvkey.pem, place them in /etc/grid-security/rsv, and edit the file ownership and permissions. 

[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-rsvcert.pem /etc/grid-security/rsv/rsvcert.pem
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-rsvkey.pem /etc/grid-security/rsv/rsvkey.pem
[root@grow-grid ~]# chmod 444 /etc/grid-security/rsv/rsvcert.pem
[root@grow-grid ~]# chmod 400 /etc/grid-security/rsv/rsvkey.pem
[root@grow-grid grid-security]# chown rsv:root /etc/grid-security/rsv/rsvkey.pem
[root@grow-grid grid-security]# chown rsv:root /etc/grid-security/rsv/rsvcert.pem

Bestman Service Certificate

The bestman service certificate will be used by the bestman user and stored at grow-grid.its.uiowa.edu:/etc/grid-security/bestman.

Request Bestman

[root@grow-grid bestman]# cert-request -ou s -service bestman -host grow-grid.its.uiowa.edu -label bestman-grow-grid.its.uiowa.edu-bestman

Retrieve Bestman

Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email. 

[root@grow-grid grid-security]# cert-retrieve  -serial 0xYYYYY -label grow-grid.its.uiowa.edu-bestman -dir . -prefix grow-grid.its.uiowa.edu-bestman

Verify Bestman

Check to make sure the certificate matches your machine hostname. 

[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-bestmancert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=bestman/grow-grid.its.uiowa.edu

Now execute: 

[root@grow-grid grid-security]# hostname -f
grow-grid.its.uiowa.edu
The host names in red above should match.

Edit Bestman

Move the certificate and key to the bestman directory and change the owner/permissions as such: 

[root@grow-grid grid-security]# mv grow-grid.its.uiowa.edu-bestmancert.pem bestman/bestmancert.pem
[root@grow-grid grid-security]# mv grow-grid.its.uiowa.edu-bestmankey.pem bestman/bestmankey.pem
[root@grow-grid grid-security]# chown bestman:root bestman/bestman*
[root@grow-grid bestman]# chmod 400 /etc/grid-security/bestman/bestmankey.pem 
[root@grow-grid bestman]# chmod 444 /etc/grid-security/bestman/bestmancert.pem

DYNES FDT Host Certificate

Here is how to view the certificate information if it already exists: 

[admin@dynes-fdt ~]$ openssl x509 -in /home/admin/dynes-fdt.physics.uiowa.educert.pem -text -noout

Request FDT Host

I am using grow-grid to request certificates for the dynes equipment in hopes that I will not have to install OSG software on the DYNES equipment.

Submit a request for a certificate. 
[user@grow-grid ~]# cert-request -ou s -dir . -label dynes-fdt.physics.uiowa.edu

Retrieve FDT Host

Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email. 

[dsquires@grow-grid ~]$ cert-retrieve  -serial 0xYYYYY -label dynes-fdt.physics.uiowa.edu -dir . -prefix dynes-fdt.physics.uiowa.edu
checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11508
Checking that the certificate and ./dynes-fdt.physics.uiowa.edukey.pem match
writing RSA key
 previous ./dynes-fdt.physics.uiowa.edukey.pem exists
previous ./dynes-fdt.physics.uiowa.edukey.pem exists, overwrite? (N,y): y
mv: `./dynes-fdt.physics.uiowa.edukey.pem' and `./dynes-fdt.physics.uiowa.edukey.pem' are the same file
./dynes-fdt.physics.uiowa.educert.pem and ./dynes-fdt.physics.uiowa.edukey.pem now contain your new credential

Verify FDT Host

Check to make sure the certificate matches your machine hostname. 

[user@grow-grid ~]$ grid-cert-info -file ./dynes-idc.net.uiowa.educert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=dynes-fdt-physics.uiowa.edu
Now execute: 
[admin@dynes-fdt ~]$ hostname -f
dynes-fdt.physics.uiowa.edu
The host names in red above should match.

Edit FDT Host

Move the certificate and key to the FDT server. These files will be kept in /home/admin. 

[dsquires@grow-grid ~]$ scp dynes-fdt.physics.uiowa.edu* admin@dynes-fdt.physics.uiowa.edu:/home/admin
DYNES Authorized Use Only
dynes-fdt.physics.uiowa.educert.pem                                                            100% 1574     1.5KB/s   00:00    
dynes-fdt.physics.uiowa.edukey.pem                                                             100% 1675     1.6KB/s   00:00

Verify that the key and certificate are owned by admin:admin and that the permissions are 444 for dynes-fdt.physics.uiowa.educert.pem, and 400 for dynes-fdt.physics.uiowa.edukey.pem. 

[admin@dynes-fdt ~]$ ls -lh
total 8.0K
-rw-r–r– 1 admin admin 1.6K Jul  3 16:41 dynes-fdt.physics.uiowa.educert.pem
-rw——- 1 admin admin 1.7K Jul  3 16:41 dynes-fdt.physics.uiowa.edukey.pem

DYNES IDC Host Certificate

Here is how to view the certificate information if it already exists: 

[admin@dynes-idc ~]$ openssl x509 -in /home/admin/dynes-idc-vm1.net.uiowa.educert.pem -text -noout

Request IDC Host

I am using grow-grid to request certificates for the dynes equipment in hopes that I will not have to install OSG software on the DYNES equipment.

Request the certificate. 

[user@grow-grid ~]# cert-request -ou s -dir . -label dynes-idc.net.uiowa.edu

Retrieve IDC Host

Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email. 

[user@grow-grid ~]$ cert-retrieve  -serial 0xYYYYY -label dynes-idc-vm1.net.uiowa.edu -dir . -prefix dynes-idc-vm1.net.uiowa.edu
checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11509
Checking that the certificate and ./dynes-idc-vm1.net.uiowa.edukey.pem match
writing RSA key
 previous ./dynes-idc-vm1.net.uiowa.edukey.pem exists
previous ./dynes-idc-vm1.net.uiowa.edukey.pem exists, overwrite? (N,y): y
mv: `./dynes-idc-vm1.net.uiowa.edukey.pem' and `./dynes-idc-vm1.net.uiowa.edukey.pem' are the same file
./dynes-idc-vm1.net.uiowa.educert.pem and ./dynes-idc-vm1.net.uiowa.edukey.pem now contain your new credential

Verify IDC Host

Check to make sure the certificate matches your machine hostname. 

[user@grow-grid ~]$ grid-cert-info -file ./dynes-idc.net.uiowa.educert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=dynes-idc-vm1.net.uiowa.edu

Now execute this command on the IDC server: 

[admin@dynes-idc ~]$ hostname -f
dynes-idc-vm1.net.uiowa.edu
The host names in red above should match.

Edit IDC Host

Move the certificate and key to the IDC server. These files will be kept in /home/admin. 

[user@grow-grid ~]$ scp dynes-idc-vm1.net.uiowa.edu* admin@dynes-idc.net.uiowa.edu:/home/admin
DYNES Authorized Use Only
dynes-idc-vm1.net.uiowa.educert.pem                                                                100% 1562     1.5KB/s   00:00    
dynes-idc-vm1.net.uiowa.edukey.pem                                                                 100% 1675     1.6KB/s   00:00

Verify that the key and certificate are owned by admin:admin and that the permissions are 444 for dynes-idc-vm1.net.uiowa.educert.pem, and 400 for dynes-idc-vm1.net.uiowa.edukey.pem. 

[admin@dynes-idc ~]$ ls -lh
total 8.0K
-rw-r–r– 1 admin admin 1.6K Jul  3 15:37 dynes-idc-vm1.net.uiowa.educert.pem
-rw——- 1 admin admin 1.7K Jul  3 15:37 dynes-idc-vm1.net.uiowa.edukey.pem

Notes

Contact Info

This Dokuwiki page is maintained by:
Daniel Squires
University of Iowa
Department of Computer Science
Email: daniel-squires@uiowa.edu