Renew cert

From DaqWiki
Revision as of 10:31, 2 June 2015 by Lindner (talk | contribs) (New page: To renew a soon to expire grid certificate: Current expiry dates of certificates: Server Grid certificate expiry date trdata00 May 19th 2014 trdata01 May 19th 2014 trdata02 May 19th...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

To renew a soon to expire grid certificate: Current expiry dates of certificates:


Server Grid certificate expiry date trdata00 May 19th 2014 trdata01 May 19th 2014 trdata02 May 19th 2014 trdata03 May 19th 2014


Instructions to renew grid certificates 

   Go to Grid Canada grid certificate website:
   https://cert.gridcanada.ca/pki/pub
   You may need a valid grid certificate in your browser in order to access this website.
   Click on the "Request a certificate" link.
   Click on "Server Request" link and fill in the request.  Couple details
       Set the hostname to trdata00.triumf.ca 
       Set the Role to 'User'
       Choose some passphrase for the PIN.
   Repeat step 3 for trdata01, trdata02, trdata03 and trdata04.
   A couple days later you will receive emails from grid-canada with a link to your new grid certificates.  Following the links will download the new grid certificates for each host into your browser.
   Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'.  You should see a list of your certificates, which should show the new certificates for trdata*.  For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.
   Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires.  The instructions for this transformation are given here:
   http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8
   The critical set of steps is as follows (for trdata00 as example):

   cd <whereever on local computer you have .p12 files>
   openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem
   openssl pkcs12 -clcerts -nokeys -in trdata00_cert.p12 -out trdata00_hostcert_noText.pem
   openssl x509 -in trdata00_hostcert_noText.pem -text > trdata00_hostcert.pem
   openssl rsa -in trdata00_hostkey.encrypted.pem -out trdata00_hostkey.pem
   chmod 0444 trdata00_hostcert.pem
   chmod 0400 trdata00_hostkey.pem

   During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.
   Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:

   ssh root@trdata00
   cd /etc/grid-security/
   mkdir 2011; cp -p host* 2011 (if copy does not already exist)
   mkdir 2012
   scp neut14:<dir>/trdata00_hostcert.pem 2012/hostcert.pem
   scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem
   cp -p 2012/host* .

   Now go ahead and try to do a grid transfer (globus-url-copy) from trdata.  If this succeeds then you have successfully uploaded new certificates. 
   Finally restart dcache server from head node:

   service dcache restart

   Also try a lcg-ls command:

   lcg-ls srm://t2ksrm.nd280.org/nd280data/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root
Retrieved from "https://daq00.triumf.ca/DaqWiki/index.php?title=Renew_cert&oldid=5495"