Renew cert
Jump to navigation
Jump to search
To renew a soon to expire grid certificate:
Current expiry dates of certificates:
Server
Grid certificate expiry date
trdata00 May 19th 2014
trdata01 May 19th 2014
trdata02 May 19th 2014
trdata03 May 19th 2014
Instructions to renew grid certificates
- Go to Grid Canada grid certificate website:
https://cert.gridcanada.ca/pki/pub
You may need a valid grid certificate in your browser in order to access this website.
- Click on the "Request a certificate" link.
- Click on "Server Request" link and fill in the request. Couple details
** Set the hostname to trdata00.triumf.ca ** Set the Role to 'User' ** Choose some passphrase for the PIN.
- A couple days later you will receive emails from grid-canada with a link to your new grid certificates. Following the links will download the new grid certificates for each host into your browser.
- Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'. You should see a list of your certificates, which should show the new certificates for trdata*. For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.
- Update 2020: new grid canada website is odd... need to go to bottom, under "certificate and keypair", choose PCKS#12 then click Download
- Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires. The instructions for this transformation are given here:
http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8
The critical set of steps is as follows (for trdata00 as example):
cd <whereever on local computer you have .p12 files> openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem openssl pkcs12 -clcerts -nokeys -in trdata00_cert.p12 -out trdata00_hostcert_noText.pem openssl x509 -in trdata00_hostcert_noText.pem -text > trdata00_hostcert.pem openssl rsa -in trdata00_hostkey.encrypted.pem -out trdata00_hostkey.pem chmod 0444 trdata00_hostcert.pem chmod 0400 trdata00_hostkey.pem
During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.
For t2ksrm you also need to do
chown dcache /etc/grid-security/hostkey.pem chown dcache /etc/grid-security/hostcert.pem
- Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:
ssh root@trdata00 cd /etc/grid-security/ mkdir 2011; cp -p host* 2011 (if copy does not already exist) mkdir 2012 scp neut14:<dir>/trdata00_hostcert.pem 2012/hostcert.pem scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem cp -p 2012/host* .
- Finally restart dcache server from head node:
service dcache restart
test certificates
Now go ahead and try to do a grid transfer (globus-url-copy) from trdata. If this succeeds then you have successfully uploaded new certificates.
export LFC_HOST=lfc.gridpp.rl.ac.uk; export LCG_GFAL_INFOSYS=lcg-bdii.cern.ch:2170; lcg-cp -v -v srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/raw/ND280/ND280/00007000_00007999/nd280_00007892_0019.daq.mid.gz file://tmp/nd280_00007892_0019_30643.daq.mid.gz
Also try a lcg-ls command:
lcg-ls srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root