When the IGTF announces a new certificate distribution, use the following steps to update the VDT.
[Updated on 25-Jun-2010 to stop attempting to include FNAL_KCA,
since it's not longer shipped or used.]
[Updated on 14-Dec-2008 to reflect new location of IGTF tar file.]
[Last updated by Scot on 14 September 2008 while changing how we distribute CA certs.]
tar xzf igtf-policy-installation-bundle-1.49.tar.gz
You must install the certificates before using them. Make sure the directory name ends with the IGTF version and that there are no other digits in the name. Sorry, I’m lazy.
We want all of the IGTF accredited certificate authorities.
$ cd igtf-policy-installation-bundle-1.49 $ ./configure --prefix=../made-igtf-1.49 --with-profile=classic --with-profile=slcs --with-profile=mics Configuration of the IGTF bundle complete use "make install" to install the selected authorities in ../made-igtf-1.49.
$ make install Installing CAs for profile accredited:slcs install policy-igtf-slcs.info ../made-igtf-1.49/ install src/accredited/a317c467.0 ../made-igtf-1.49/ ... install src/accredited/9dd23746.namespaces ../made-igtf-1.49/ install src/accredited/9dd23746.signing_policy ../made-igtf-1.49/ Installing CAs for profile accredited:classic install policy-igtf-classic.info ../made-igtf-1.49/ install src/experimental/e1fce4e9.0 ../made-igtf-1.49/ install src/experimental/e1fce4e9.info ../made-igtf-1.49/ install src/experimental/e1fce4e9.namespaces ../made-igtf-1.49/ install src/experimental/e1fce4e9.signing_policy ../made-igtf-1.49/
svn co file:///p/vdt/workspace/svn/certs/trunk
Make sure your checkout is up to date
In particular, pay attention to the whitelist and blacklist definitions.
$ ./process-igtf-distribution.pl /scratch/roy/igtf/made-igtf-1.49 /u/r/o/roy/vdt/certs Checking CA certificates for updates: IGTF directory: /u/c/a/cat/ca-certificate-distributions/made-igtf-1.49 VDT to update: /p/condor/workspaces/cat/certs-trunk Updates to CA certificates, by hash: 01621954 UKeScience ... 2 files changed 03aa0ecb BEGrid ... 1 file changed ... fa3af1d7 CERN ... 1 file changed fe102e03 DFN-GridGermany-Server ... 2 files changed
Be sure to understand the differences, even though most of them are CVS related or are simple version string changes. Be particularly careful about hashes in the output that have “files not in IGTF” next to them--they will be deleted!
Yes, you must say yes to each file deletion!
INDEX.txtfile. Don't miss the version number at the bottom of the page.
Verify the contents of this file by running:
defsfile to reflect a new VDT CA certificates version
Be sure to mention the IGTF distribution version and the new VDT CA certificates version in your commit message.
cd vdt-scripts ./release-certs.pl
pacman -get http://vdt.cs.wisc.edu/vdt_181_cache:CA-Certificates
Here's some text to get you started. Subject:
VDT CA certificates updated with IGTF 1.49
The VDT team has updated its CA certificate distribution to reflect the contents of the IGTF 1.49 distribution. Information about the IGTF distribution is available at https://dist.eugridpma.info/distribution/igtf/current/ Information about the contents of this VDT release (version 40) of the certificates is available at: http://vdt.cs.wisc.edu/releases/1.10.1/certificate_authorities.html?oldrelease=40 For more information about the certificates and about updating your installation, follow the link for your VDT version: http://vdt.cs.wisc.edu/releases/1.10.1/certificate_authorities.html http://vdt.cs.wisc.edu/releases/1.8.1/certificate_authorities.html Please note that if you are using the VDT certificate updater (available since VDT 1.8.0), your certificates will be updated automatically. As always, if you have questions, comments, or concerns, please let us know.