Renew cert: Difference between revisions

From DaqWiki
Jump to navigation Jump to search
(New page: To renew a soon to expire grid certificate: Current expiry dates of certificates: Server Grid certificate expiry date trdata00 May 19th 2014 trdata01 May 19th 2014 trdata02 May 19th...)
 
No edit summary
Line 1: Line 1:
To renew a soon to expire grid certificate:
= To renew a soon to expire grid certificate: =
Current expiry dates of certificates:
Current expiry dates of certificates:


Line 11: Line 11:


   
   
Instructions to renew grid certificates
= Instructions to renew grid certificates =


    Go to Grid Canada grid certificate website:
* Go to Grid Canada grid certificate website:
     https://cert.gridcanada.ca/pki/pub
     https://cert.gridcanada.ca/pki/pub
     You may need a valid grid certificate in your browser in order to access this website.
      
     Click on the "Request a certificate" link.
You may need a valid grid certificate in your browser in order to access this website.
     Click on "Server Request" link and fill in the request.  Couple details
      
        Set the hostname to trdata00.triumf.ca  
* Click on the "Request a certificate" link.
        Set the Role to 'User'
      
        Choose some passphrase for the PIN.
* Click on "Server Request" link and fill in the request.  Couple details
    Repeat step 3 for trdata01, trdata02, trdata03 and trdata04.
  **      Set the hostname to trdata00.triumf.ca  
     A couple days later you will receive emails from grid-canada with a link to your new grid certificates.  Following the links will download the new grid certificates for each host into your browser.
  **      Set the Role to 'User'
    Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'.  You should see a list of your certificates, which should show the new certificates for trdata*.  For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.
  **      Choose some passphrase for the PIN.
    Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires.  The instructions for this transformation are given here:
 
*     A couple days later you will receive emails from grid-canada with a link to your new grid certificates.  Following the links will download the new grid certificates for each host into your browser.
 
*    Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'.  You should see a list of your certificates, which should show the new certificates for trdata*.  For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.
 
 
*    Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires.  The instructions for this transformation are given here:
     http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8
     http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8
     The critical set of steps is as follows (for trdata00 as example):
     The critical set of steps is as follows (for trdata00 as example):
 
<pre>
     cd <whereever on local computer you have .p12 files>
     cd <whereever on local computer you have .p12 files>
     openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem
     openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem
Line 35: Line 41:
     chmod 0444 trdata00_hostcert.pem
     chmod 0444 trdata00_hostcert.pem
     chmod 0400 trdata00_hostkey.pem
     chmod 0400 trdata00_hostkey.pem
</pre>
    During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.


    During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.
*    Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:
    Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:


<pre>
     ssh root@trdata00
     ssh root@trdata00
     cd /etc/grid-security/
     cd /etc/grid-security/
Line 46: Line 54:
     scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem
     scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem
     cp -p 2012/host* .
     cp -p 2012/host* .
</pre>
*    Finally restart dcache server from head node:
<pre>
    service dcache restart
</pre>
= test certificates =


     Now go ahead and try to do a grid transfer (globus-url-copy) from trdata.  If this succeeds then you have successfully uploaded new certificates.  
     Now go ahead and try to do a grid transfer (globus-url-copy) from trdata.  If this succeeds then you have successfully uploaded new certificates.  
    Finally restart dcache server from head node:


    service dcache restart
 


     Also try a lcg-ls command:
     Also try a lcg-ls command:


     lcg-ls srm://t2ksrm.nd280.org/nd280data/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root
     lcg-ls srm://t2ksrm.nd280.org/nd280data/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root

Revision as of 09:34, 2 June 2015

To renew a soon to expire grid certificate:

Current expiry dates of certificates:


Server Grid certificate expiry date trdata00 May 19th 2014 trdata01 May 19th 2014 trdata02 May 19th 2014 trdata03 May 19th 2014


Instructions to renew grid certificates

  • Go to Grid Canada grid certificate website:
   https://cert.gridcanada.ca/pki/pub
   

You may need a valid grid certificate in your browser in order to access this website.

  • Click on the "Request a certificate" link.
  • Click on "Server Request" link and fill in the request. Couple details
 **      Set the hostname to trdata00.triumf.ca 
 **      Set the Role to 'User'
 **      Choose some passphrase for the PIN.
  • A couple days later you will receive emails from grid-canada with a link to your new grid certificates. Following the links will download the new grid certificates for each host into your browser.
  • Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'. You should see a list of your certificates, which should show the new certificates for trdata*. For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.


  • Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires. The instructions for this transformation are given here:
   http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8
   The critical set of steps is as follows (for trdata00 as example):
    cd <whereever on local computer you have .p12 files>
    openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem
    openssl pkcs12 -clcerts -nokeys -in trdata00_cert.p12 -out trdata00_hostcert_noText.pem
    openssl x509 -in trdata00_hostcert_noText.pem -text > trdata00_hostcert.pem
    openssl rsa -in trdata00_hostkey.encrypted.pem -out trdata00_hostkey.pem
    chmod 0444 trdata00_hostcert.pem
    chmod 0400 trdata00_hostkey.pem
   During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.
  • Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:
    ssh root@trdata00
    cd /etc/grid-security/
    mkdir 2011; cp -p host* 2011 (if copy does not already exist)
    mkdir 2012
    scp neut14:<dir>/trdata00_hostcert.pem 2012/hostcert.pem
    scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem
    cp -p 2012/host* .
  • Finally restart dcache server from head node:
    service dcache restart

test certificates

   Now go ahead and try to do a grid transfer (globus-url-copy) from trdata.  If this succeeds then you have successfully uploaded new certificates. 


   Also try a lcg-ls command:
   lcg-ls srm://t2ksrm.nd280.org/nd280data/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root