-
Notifications
You must be signed in to change notification settings - Fork 2
/
QUICKSTART
86 lines (56 loc) · 2.81 KB
/
QUICKSTART
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
Cert Sorcerer (CS) Quick-Start Guide
------------------------------------
First you need to install the dependencies (on RHEL do):
yum install openssl python PyOpenSSL python-pycurl
You should then fetch CS.py and edit the constants at the top for your site.
It should be noted that CS generates key files in PKCS#1 format regardless of
the host openssl version (by doing a conversion step after any key generate).
This should be suitable for most grid middleware. If PKCS#8 is absolutely
required the "openssl pkcs8" command can be used to convert the key back.
Getting a New Cert
------------------
To request a new cert just run CS.py followed by the CN, for example to get a user cert:
./CS.py "john smith"
or for a host cert:
./CS.py "myhost.some.domain.com"
Getting new host certificates requires a valid user cert & key in
~/.globus/user{cert,key}.pem .
Very Quick Host Cert Renewal
----------------------------
If you want to just renew a hostcert, the easiest thing to do is run this on
the actual machine as root (or whoever owns /etc/grid-security/hostkey.pem):
./CS.py --sys
Once you get an e-mail from the CA saying the cert has been issued, run the
"./CS.py --sys" command again to fetch it. You can use "./CS.py --sys --fetch"
to avoid being prompted for this operation.
Host certificate renewals don't require a valid user key.
Importing A Certificate
-----------------------
If you want to renew a certificate that's already been issued you need to place
it into the ~/.cs directory under a directory named after the CN. Any spaces in
the CN should be replaced with underscores.
mkdir -p ~/.cs/john_smith
chmod 700 ~/.cs/john_smith
# Copy the old certificate & key into the directory
cp my_user_cert.pem ~/.cs/john_smith/cert.pem
cp my_user_key.pem ~/.cs/john_smith/key.pem
This also works for hostcerts:
mkdir -p ~/.cs/myhost.some.domain.com
chmod 700 ~/.cs/myhost.some.domain.com
cp hostcert.pem ~/.cs/myhost.some.domain.com/cert.pem
cp hostkey.pem ~/.cs/myhost.some.domain.com/key.pem
If you certificate is in .p12 format, replace the cp steps in the above with:
openssl pkcs12 -nocerts -nodes -in mycert.p12 -out ~/.cs/john_smith/key.pem
openssl pkcs12 -clcerts -nokeys -in mycert.p12 -out ~/.cs/john_smith/cert.pem
CS will fix the permissions automatically however you can optionally do this by
hand just to ensure things are secure:
chmod 644 ~/.cs/john_smith/cert.pem
chmod 600 ~/.cs/john_smith/key.pem
Renewing A Certificate
----------------------
If the certificate was issued with CS then you just need to invoke it with the
same parameters you did originally, i.e.
./CS.py "john smith"
If the certificate wasn't originally requested with CS, follow the importing a
certificate step and then invoke it with the CN as contained in the cert.
Run the command again once you have received e-mail confirmation of the renewal.