Here is a list of the certificates that we use here at GROW.

Here are the official instructions to retrieve host certificates. The cert-request script will prompt you for for:

• Reason for request
• Administrators name
• Full hostname of server
• Administrators email
• Phone number
• Choose a registration authority (Choose OSG)
• Choose a VO (Choose CMS or OSG)
• Confirms that you are authorized to install the certificate on the host.

If the script runs without error, you will then be given a certificate request id which can be used to identify the response email to a particular certificate request. You will also have two files in your current directory (where hostname is replaced with the hostname you supplied to the script):

• hostnamekey.pem
• hostname.req

Now you must wait for a response from DOEGrids which will contain a serial code needed to retrieve the certificate.

You can view the expiration of certificates by running this command.

[user@grow-grid grid-security]# openssl x509 -in /etc/grid-security/hostcert.pem -subject -issuer -dates -noout
subject= /DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu
issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
notBefore=Jul 14 14:57:09 2011 GMT
notAfter=Jul 13 14:57:09 2012 GMT

[user@grow-grid grid-security]# grid-cert-info -file ./hostcert.pem

Submit a request for a host certificate.

[root@grow-grid grid-security]# cert-request -ou s -dir . -label grow-grid.its.uiowa.edu

Once you have a reply from DOEGrids with a serial number in 0xYYYY format you can retrieve the certificate by running this command.

[root@grow-grid grid-security]# cert-retrieve  -serial 0xYYYY -label grow-grid.its.uiowa.edu -dir . -prefix grow-grid.its.uiowa.edu

checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0xYYYY 
Checking that the certificate and ./grow-grid.its.uiowa.edukey.pem match
writing RSA key
./grow-grid.its.uiowa.educert.pem and ./grow-grid.its.uiowa.edukey.pem now contain your new credential

Check to make sure the certificate matches your machine hostname.

[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.educert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=rsv/grow-grid.its.uiowa.edu

Now execute:

[root@grow-grid grid-security]# hostname -f
grow-grid.its.uiowa.edu

Change the certificate and key names to hostcert.pem and hostkey.pem and edit the file permissions.

[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.educert.pem /etc/grid-security/hostcert.pem
[root@grow-grid ~]# chmod 444 /etc/grid-security/hostcert.pem
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edukey.pem /etc/grid-security/hostkey.pem
[root@grow-grid ~]# chmod 400 /etc/grid-security/hostkey.pem

We will use the host certificate as the container certificate. This is the only instance where using a copy of the host certificate is allowed.

[root@grid-0-0 ~]# cp /etc/grid-security/grow-grid.its.uiowa.educert.pem /etc/grid-security/containercert.pem
[root@grid-0-0 ~]# cp /etc/grid-security/grow-grid.its.uiowa.edukey.pem /etc/grid-security/containerkey.pem

Change ownership on the container certificate.

[root@grid-0-0 ~]# chown daemon:daemon /etc/grid-security/containercert.pem
[root@grid-0-0 ~]# chown daemon:daemon /etc/grid-security/containerkey.pem

[root@grow-grid grid-security]# cert-request -ou s -service http -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-http

[root@grow-grid grid-security]# cert-retrieve  -serial 0xYYYYY -label grow-grid.its.uiowa.edu-http -dir . -prefix grow-grid.its.uiowa.edu-http
checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11526
Checking that the certificate and ./grow-grid.its.uiowa.edu-httpkey.pem match
writing RSA key
 previous ./grow-grid.its.uiowa.edu-httpkey.pem exists
previous ./grow-grid.its.uiowa.edu-httpkey.pem exists, overwrite? (N,y): y
mv: `./grow-grid.its.uiowa.edu-httpkey.pem' and `./grow-grid.its.uiowa.edu-httpkey.pem' are the same file
./grow-grid.its.uiowa.edu-httpcert.pem and ./grow-grid.its.uiowa.edu-httpkey.pem now contain your new credential

Check to make sure the certificate matches your machine hostname.

[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-httpcert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=http/grow-grid.its.uiowa.edu

Now execute:

[root@grow-grid grid-security]# hostname -f
grow-grid.its.uiowa.edu

Change the certificate and key names to httpcert.pem and httpkey.pem and edit the file permissions and ownerships.

[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-httpcert.pem /etc/grid-security/http/httpcert.pem
[root@grow-grid ~]# chmod 444 /etc/grid-security/http/httpcert.pem
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-httpkey.pem /etc/grid-security/http/httpkey.pem
[root@grow-grid ~]# chmod 400 /etc/grid-security/http/httpkey.pem
[root@grow-grid ~]# chown tomcat:daemon /etc/grid-security/http/http*

[root@grow-grid grid-security]# cert-request -ou s -service rsv -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-rsv

Once you have a reply from DOEGrids with a serial number in 0xYYYY format you can retrieve the certificate by running this command.

[root@grow-grid grid-security]# cert-retrieve  -serial 0xYYYY -label grow-grid.its.uiowa.edu-rsv -dir . -prefix grow-grid.its.uiowa.edu-rsv
checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11507
Checking that the certificate and ./grow-grid.its.uiowa.edu-rsvkey.pem match
writing RSA key
 previous ./grow-grid.its.uiowa.edu-rsvkey.pem exists
previous ./grow-grid.its.uiowa.edu-rsvkey.pem exists, overwrite? (N,y): y
mv: `./grow-grid.its.uiowa.edu-rsvkey.pem' and `./grow-grid.its.uiowa.edu-rsvkey.pem' are the same file
./grow-grid.its.uiowa.edu-rsvcert.pem and ./grow-grid.its.uiowa.edu-rsvkey.pem now contain your new credential

Check to make sure the certificate matches your machine hostname.

[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-rsvcert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu

Now execute:

[root@grow-grid grid-security
grow-grid.its.uiowa.edu

Change the certificate and key names to rsvcert.pem and rsvkey.pem, place them in /etc/grid-security/rsv, and edit the file ownership and permissions.

[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-rsvcert.pem /etc/grid-security/rsv/rsvcert.pem
[root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-rsvkey.pem /etc/grid-security/rsv/rsvkey.pem
[root@grow-grid ~]# chmod 444 /etc/grid-security/rsv/rsvcert.pem
[root@grow-grid ~]# chmod 400 /etc/grid-security/rsv/rsvkey.pem
[root@grow-grid grid-security]# chown rsv:root /etc/grid-security/rsv/rsvkey.pem
[root@grow-grid grid-security]# chown rsv:root /etc/grid-security/rsv/rsvcert.pem

The bestman service certificate will be used by the bestman user and stored at grow-grid.its.uiowa.edu:/etc/grid-security/bestman.

[root@grow-grid bestman]# cert-request -ou s -service bestman -host grow-grid.its.uiowa.edu -label bestman-grow-grid.its.uiowa.edu-bestman

Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email.

[root@grow-grid grid-security]# cert-retrieve  -serial 0xYYYYY -label grow-grid.its.uiowa.edu-bestman -dir . -prefix grow-grid.its.uiowa.edu-bestman

Check to make sure the certificate matches your machine hostname.

[root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-bestmancert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=bestman/grow-grid.its.uiowa.edu

Now execute:

[root@grow-grid grid-security]# hostname -f
grow-grid.its.uiowa.edu

Move the certificate and key to the bestman directory and change the owner/permissions as such:

[root@grow-grid grid-security]# mv grow-grid.its.uiowa.edu-bestmancert.pem bestman/bestmancert.pem
[root@grow-grid grid-security]# mv grow-grid.its.uiowa.edu-bestmankey.pem bestman/bestmankey.pem
[root@grow-grid grid-security]# chown bestman:root bestman/bestman*
[root@grow-grid bestman]# chmod 400 /etc/grid-security/bestman/bestmankey.pem 
[root@grow-grid bestman]# chmod 444 /etc/grid-security/bestman/bestmancert.pem

Here is how to view the certificate information if it already exists:

[admin@dynes-fdt ~]$ openssl x509 -in /home/admin/dynes-fdt.physics.uiowa.educert.pem -text -noout

[user@grow-grid ~]# cert-request -ou s -dir . -label dynes-fdt.physics.uiowa.edu

Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email.

[dsquires@grow-grid ~]$ cert-retrieve  -serial 0xYYYYY -label dynes-fdt.physics.uiowa.edu -dir . -prefix dynes-fdt.physics.uiowa.edu
checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11508
Checking that the certificate and ./dynes-fdt.physics.uiowa.edukey.pem match
writing RSA key
 previous ./dynes-fdt.physics.uiowa.edukey.pem exists
previous ./dynes-fdt.physics.uiowa.edukey.pem exists, overwrite? (N,y): y
mv: `./dynes-fdt.physics.uiowa.edukey.pem' and `./dynes-fdt.physics.uiowa.edukey.pem' are the same file
./dynes-fdt.physics.uiowa.educert.pem and ./dynes-fdt.physics.uiowa.edukey.pem now contain your new credential

Check to make sure the certificate matches your machine hostname.

[user@grow-grid ~]$ grid-cert-info -file ./dynes-idc.net.uiowa.educert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=dynes-fdt-physics.uiowa.edu

[admin@dynes-fdt ~]$ hostname -f
dynes-fdt.physics.uiowa.edu

Move the certificate and key to the FDT server. These files will be kept in /home/admin.

[dsquires@grow-grid ~]$ scp dynes-fdt.physics.uiowa.edu* admin@dynes-fdt.physics.uiowa.edu:/home/admin
DYNES Authorized Use Only
dynes-fdt.physics.uiowa.educert.pem                                                            100% 1574     1.5KB/s   00:00    
dynes-fdt.physics.uiowa.edukey.pem                                                             100% 1675     1.6KB/s   00:00

Verify that the key and certificate are owned by admin:admin and that the permissions are 444 for dynes-fdt.physics.uiowa.educert.pem, and 400 for dynes-fdt.physics.uiowa.edukey.pem.

[admin@dynes-fdt ~]$ ls -lh
total 8.0K
-rw-r–r– 1 admin admin 1.6K Jul  3 16:41 dynes-fdt.physics.uiowa.educert.pem
-rw——- 1 admin admin 1.7K Jul  3 16:41 dynes-fdt.physics.uiowa.edukey.pem

Here is how to view the certificate information if it already exists:

[admin@dynes-idc ~]$ openssl x509 -in /home/admin/dynes-idc-vm1.net.uiowa.educert.pem -text -noout

Request the certificate.

[user@grow-grid ~]# cert-request -ou s -dir . -label dynes-idc.net.uiowa.edu

Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email.

[user@grow-grid ~]$ cert-retrieve  -serial 0xYYYYY -label dynes-idc-vm1.net.uiowa.edu -dir . -prefix dynes-idc-vm1.net.uiowa.edu
checking CertLib version, V2-7,  This is the latest version, released 18 May 2009.
 using CA doegrids
Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11509
Checking that the certificate and ./dynes-idc-vm1.net.uiowa.edukey.pem match
writing RSA key
 previous ./dynes-idc-vm1.net.uiowa.edukey.pem exists
previous ./dynes-idc-vm1.net.uiowa.edukey.pem exists, overwrite? (N,y): y
mv: `./dynes-idc-vm1.net.uiowa.edukey.pem' and `./dynes-idc-vm1.net.uiowa.edukey.pem' are the same file
./dynes-idc-vm1.net.uiowa.educert.pem and ./dynes-idc-vm1.net.uiowa.edukey.pem now contain your new credential

Check to make sure the certificate matches your machine hostname.

[user@grow-grid ~]$ grid-cert-info -file ./dynes-idc.net.uiowa.educert.pem -subject
/DC=org/DC=doegrids/OU=Services/CN=dynes-idc-vm1.net.uiowa.edu

Now execute this command on the IDC server:

[admin@dynes-idc ~]$ hostname -f
dynes-idc-vm1.net.uiowa.edu

Move the certificate and key to the IDC server. These files will be kept in /home/admin.

[user@grow-grid ~]$ scp dynes-idc-vm1.net.uiowa.edu* admin@dynes-idc.net.uiowa.edu:/home/admin
DYNES Authorized Use Only
dynes-idc-vm1.net.uiowa.educert.pem                                                                100% 1562     1.5KB/s   00:00    
dynes-idc-vm1.net.uiowa.edukey.pem                                                                 100% 1675     1.6KB/s   00:00

Verify that the key and certificate are owned by admin:admin and that the permissions are 444 for dynes-idc-vm1.net.uiowa.educert.pem, and 400 for dynes-idc-vm1.net.uiowa.edukey.pem.

[admin@dynes-idc ~]$ ls -lh
total 8.0K
-rw-r–r– 1 admin admin 1.6K Jul  3 15:37 dynes-idc-vm1.net.uiowa.educert.pem
-rw——- 1 admin admin 1.7K Jul  3 15:37 dynes-idc-vm1.net.uiowa.edukey.pem

This Dokuwiki page is maintained by:
Daniel Squires
University of Iowa
Department of Computer Science
Email: daniel-squires@uiowa.edu