Renew cert

From DaqWiki
Jump to navigation Jump to search

To renew a soon to expire grid certificate:

Current expiry dates of certificates:


Server Grid certificate expiry date trdata00 May 19th 2014 trdata01 May 19th 2014 trdata02 May 19th 2014 trdata03 May 19th 2014


Instructions to renew grid certificates

  • Go to Grid Canada grid certificate website:
   https://cert.gridcanada.ca/pki/pub

You may need a valid grid certificate in your browser in order to access this website.

  • Click on the "Request a certificate" link.
  • Click on "Server Request" link and fill in the request. Couple details
 **      Set the hostname to trdata00.triumf.ca 
 **      Set the Role to 'User'
 **      Choose some passphrase for the PIN.
  • A couple days later you will receive emails from grid-canada with a link to your new grid certificates. Following the links will download the new grid certificates for each host into your browser.
  • Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'. You should see a list of your certificates, which should show the new certificates for trdata*. For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.
    • Update 2020: new grid canada website is odd... need to go to bottom, under "certificate and keypair", choose PCKS#12 then click Download
  • Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires. The instructions for this transformation are given here:
   http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8

The critical set of steps is as follows (for trdata00 as example): 

    cd <whereever on local computer you have .p12 files>
    openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem
    openssl pkcs12 -clcerts -nokeys -in trdata00_cert.p12 -out trdata00_hostcert_noText.pem
    openssl x509 -in trdata00_hostcert_noText.pem -text > trdata00_hostcert.pem
    openssl rsa -in trdata00_hostkey.encrypted.pem -out trdata00_hostkey.pem
    chmod 0444 trdata00_hostcert.pem
    chmod 0400 trdata00_hostkey.pem

During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.

For t2ksrm you also need to do 

chown dcache /etc/grid-security/hostkey.pem
chown dcache /etc/grid-security/hostcert.pem


  • Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:
    ssh root@trdata00
    cd /etc/grid-security/
    mkdir 2011; cp -p host* 2011 (if copy does not already exist)
    mkdir 2012
    scp neut14:<dir>/trdata00_hostcert.pem 2012/hostcert.pem
    scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem
    cp -p 2012/host* .
  • Finally restart dcache server from head node:
    service dcache restart

test certificates

Now go ahead and try to do a grid transfer (globus-url-copy) from trdata. If this succeeds then you have successfully uploaded new certificates. 

export LFC_HOST=lfc.gridpp.rl.ac.uk; export LCG_GFAL_INFOSYS=lcg-bdii.cern.ch:2170; lcg-cp -v -v srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/raw/ND280/ND280/00007000_00007999/nd280_00007892_0019.daq.mid.gz file://tmp/nd280_00007892_0019_30643.daq.mid.gz

Also try a lcg-ls command: 

    lcg-ls srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root
Retrieved from "https://daq00.triumf.ca/DaqWiki/index.php?title=Renew_cert&oldid=5503"