-
Notifications
You must be signed in to change notification settings - Fork 21
ESGF Globus Simple CA Creation
ncaripsl edited this page Nov 12, 2014
·
6 revisions
Execute
source /etc/esg.env
/usr/local/globus/setup/globus/setup-simple-ca
Define a unique subject (ex: CN=Globus Simple CA, OU=simpleCA-esgf-node.ipsl.fr, OU=GlobusTest, O=Grid)
The unique subject name for this CA is:
cn=Globus Simple CA, ou=simpleCA-esgf-node.ipsl.fr, ou=GlobusTest, o=Grid
Do you want to keep this as the CA subject (y/n) [y]:
Define email address
Enter the email of the CA (this is the email where certificate requests will be sent to be
signed by the CA): admin@my_org.my_domain.
Define CA expiration
The CA certificate has an expiration date. Keep in mind that once the CA certificate has expired,
all the certificates signed by that CA become invalid. A CA should regenerate the CA certificate
and start re-issuing ca-setup packages before the actual CA certificate expires. This can be
done by re-running this setup script. Enter the number of DAYS the CA certificate should last
before it expires.[default: 5 years (1825 days)]:
Configure passphrase
Generating a 1024 bit RSA private key
........++++++
................++++++
writing new private key to '/home/globus/.globus/simpleCA//private/cakey.pem'
Enter PEM pass phrase:
Confirm
A self-signed certificate has been generated
for the Certificate Authority with the subject:
/O=Grid/OU=GlobusTest/OU=esgf-node.ipsl.fr/CN=Globus Simple CA
If this is invalid, rerun this script
setup/globus/setup-simple-ca
and enter the appropriate fields.
-------------------------------------------------------------------
The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cak ey.pem
The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem
The distribution package built for this CA is stored in
/home/globus/.globus/simpleCA//globus_simple_ca_68ea3306_setup-0.17.tar.gz
Result
***************************************************************************
Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:
/opt/gt4/setup/globus_simple_ca_68ea3306_setup/setup-gsi
For further information on using the setup-gsi script, use the -help
option. The -default option sets this security configuration to be
the default, and -nonroot can be used on systems where root access is
not available.
***************************************************************************
setup-ssl-utils: Complete
Execute
/usr/local/globus/setup/globus_simple_ca_<certhash>_setup/setup-gsi
Result
setup-gsi: Configuring GSI security
Installing /etc/grid-security/certificates//grid-security.conf.CA_Hash...
Running grid-security-config...
Installing Globus CA certificate into trusted CA certificate directory...
Installing Globus CA signing policy into trusted CA certificate directory...
setup-gsi: Complete
Check freshly created CA Cert
openssl x509 -text -in /root/.globus/simpleCA/cacert.pem