Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

Handling Updates to the IGTF Certificate Distribution

When the IGTF announces a new certificate distribution, use the following steps to update the VDT.

[Updated on 25-Jun-2010 to stop attempting to include FNAL_KCA, since it's not longer shipped or used.]
[Updated on 14-Dec-2008 to reflect new location of IGTF tar file.]
[Last updated by Scot on 14 September 2008 while changing how we distribute CA certs.]

  1. Change to a suitable directory
  2. Get the certificates

    The IGTF website is at http://www.gridpma.org/, but the distribution is maintained at the EUGridPMA site. I usually start at the current distribution page, then fetch the installation bundle tarball.

    wget http://dist.eugridpma.org/distribution/igtf/1.49-old/igtf-policy-installation-bundle-1.49.tar.gz
  3. Unpack the certificates
    tar xzf igtf-policy-installation-bundle-1.49.tar.gz
  4. Make an installation directory
    mkdir made-igtf-1.49

    You must install the certificates before using them. Make sure the directory name ends with the IGTF version and that there are no other digits in the name. Sorry, I’m lazy.

  5. Configure the installation

    We want all of the IGTF accredited certificate authorities.

    $ cd igtf-policy-installation-bundle-1.49
    $ ./configure --prefix=../made-igtf-1.49 --with-profile=classic --with-profile=slcs --with-profile=mics
    Configuration of the IGTF bundle complete
    use "make install" to install the selected authorities in
    ../made-igtf-1.49.
    
  6. Install the certificates into your temporary directory
    $ make install
    Installing CAs for profile accredited:slcs
    install policy-igtf-slcs.info ../made-igtf-1.49/
    install src/accredited/a317c467.0 ../made-igtf-1.49/
    ...
    install src/accredited/9dd23746.namespaces ../made-igtf-1.49/
    install src/accredited/9dd23746.signing_policy ../made-igtf-1.49/
    Installing CAs for profile accredited:classic
    install policy-igtf-classic.info ../made-igtf-1.49/
    install src/experimental/e1fce4e9.0 ../made-igtf-1.49/
    install src/experimental/e1fce4e9.info ../made-igtf-1.49/
    install src/experimental/e1fce4e9.namespaces ../made-igtf-1.49/
    install src/experimental/e1fce4e9.signing_policy ../made-igtf-1.49/
  7. Checkout the certificates branch
    svn co file:///p/vdt/workspace/svn/certs/trunk

    OR

    Make sure your checkout is up to date

    svn update
  8. Check over the process-igtf-distribution.pl script

    In particular, pay attention to the whitelist and blacklist definitions.

  9. Run the script
    $ ./process-igtf-distribution.pl /scratch/roy/igtf/made-igtf-1.49 /u/r/o/roy/vdt/certs
    Checking CA certificates for updates:
        IGTF directory: /u/c/a/cat/ca-certificate-distributions/made-igtf-1.49
        VDT to update:  /p/condor/workspaces/cat/certs-trunk
    
    Updates to CA certificates, by hash:
        01621954 UKeScience                ... 2 files changed
        03aa0ecb BEGrid                    ... 1 file changed
    ...
        fa3af1d7 CERN                      ... 1 file changed
        fe102e03 DFN-GridGermany-Server    ... 2 files changed
  10. Review output and igtf-1.49-update-diffs.log

    Be sure to understand the differences, even though most of them are CVS related or are simple version string changes. Be particularly careful about hashes in the output that have “files not in IGTF” next to them--they will be deleted!

  11. Repeat Steps 9–11 until you’re happy with it all
  12. Verify the igtf-1.49-update-script.sh by hand
  13. Run the update script
    ./igtf-1.49-update-script.sh

    Yes, you must say yes to each file deletion!

  14. Verify changes
    svn status
  15. Update the INDEX.txt file. Don't miss the version number at the bottom of the page.

    Verify the contents of this file by running:

    ./validate_index.pl
  16. Update the CHANGES file
  17. Update the top-level defs file to reflect a new VDT CA certificates version
  18. Commit all changes

    Be sure to mention the IGTF distribution version and the new VDT CA certificates version in your commit message.

  19. Run the following to make the CA-Certificates.pacman file, manifest file, and rpm package.
    cd vdt-scripts
    ./release-certs.pl
  20. Do a quick installation to check everything.
    • To check the CA-Certificates-Base.pacman, install from 1.8.1:
      pacman -get http://vdt.cs.wisc.edu/vdt_181_cache:CA-Certificates
    • To check the manifest file and certificates tarball, install the CA-Certificates package from 1.10.1 (or later), or force an update from the OSG-EDU CE.
    • To check the RPM - ???
  21. Announce the new distribution by sending email to
    • goc@opensciencegrid.org
    • vdt-discuss@opensciencegrid.org

    Here's some text to get you started. Subject:

    VDT CA certificates updated with IGTF 1.49

    Message:

    The VDT team has updated its CA certificate distribution to reflect the contents
    of the IGTF 1.49 distribution. Information about the IGTF distribution is
    available at
    
    https://dist.eugridpma.info/distribution/igtf/current/
    
    Information about the contents of this VDT release (version 40) of the certificates is available at:
    
    http://vdt.cs.wisc.edu/releases/1.10.1/certificate_authorities.html?oldrelease=40
    For more information about the certificates and about updating your
    installation, follow the link for your VDT version:
    
    http://vdt.cs.wisc.edu/releases/1.10.1/certificate_authorities.html
    http://vdt.cs.wisc.edu/releases/1.8.1/certificate_authorities.html
    
    Please note that if you are using the VDT certificate updater
    (available since VDT 1.8.0), your certificates will be updated
    automatically. 
    
    As always, if you have questions, comments, or concerns, please let us know.