Handling Updates to the IGTF Certificate Distribution

When the IGTF announces a new certificate distribution, use the following steps to update the VDT.

[Last updated by Scot on 14 September 2008 while changing how we distribute CA certs.]

1. Change to a suitable directory
2. Get the certificates

   The IGTF website is at http://www.gridpma.org/, but the distribution is maintained at the EUGridPMA site. I usually start at the current distribution page, then go into the accredited directory and fetch the installation bundle tarball.

   wget http://dist.eugridpma.org/distribution/igtf/1.25/accredited/igtf-policy-installation-bundle-1.25.tar.gz

3. Unpack the certificates

   tar xzf igtf-policy-installation-bundle-1.25.tar.gz

4. Make an installation directory

   mkdir made-igtf-1.25

   You must install the certificates before using them. Make sure the directory name ends with the IGTF version and that there are no other digits in the name. Sorry, I’m lazy.

5. Configure the installation

   We want all of the IGTF accredited certificate authorities.

   $ cd igtf-policy-installation-bundle-1.25
   $ ./configure --prefix=../made-igtf-1.25 --with-profile=classic --with-profile=slcs --with-profile=mics --with-authority=FNAL_KCA
   Configuration of the IGTF bundle complete
   use "make install" to install the selected authorities in
   ../made-igtf-1.25.
   

6. Install the certificates into your temporary directory

   $ make install
   Installing CAs for profile accredited:slcs
   install policy-igtf-slcs.info ../made-igtf-1.25/
   install src/accredited/a317c467.0 ../made-igtf-1.25/
   ...
   install src/accredited/9dd23746.namespaces ../made-igtf-1.25/
   install src/accredited/9dd23746.signing_policy ../made-igtf-1.25/
   Installing CAs for profile accredited:classic
   install policy-igtf-classic.info ../made-igtf-1.25/
   install src/experimental/e1fce4e9.0 ../made-igtf-1.25/
   install src/experimental/e1fce4e9.info ../made-igtf-1.25/
   install src/experimental/e1fce4e9.namespaces ../made-igtf-1.25/
   install src/experimental/e1fce4e9.signing_policy ../made-igtf-1.25/

7. Checkout the certificates branch

   svn co file:///p/vdt/workspace/svn/certs/trunk

   OR

   Make sure your checkout is up to date

   svn update

8. Check over the process-igtf-distribution.pl script

   In particular, pay attention to the whitelist and blacklist definitions.

9. Run the script

   $ ./process-igtf-distribution.pl /u/c/a/cat/ca-certificate-distributions/made-igtf-1.25 /p/condor/workspaces/cat/certs-trunk
   Checking CA certificates for updates:
       IGTF directory: /u/c/a/cat/ca-certificate-distributions/made-igtf-1.25
       VDT to update:  /p/condor/workspaces/cat/certs-trunk
   
   Updates to CA certificates, by hash:
       01621954 UKeScience                ... 2 files changed
       03aa0ecb BEGrid                    ... 1 file changed
   ...
       fa3af1d7 CERN                      ... 1 file changed
       fe102e03 DFN-GridGermany-Server    ... 2 files changed

10. Review output and igtf-1.25-update-diffs.log

    Be sure to understand the differences, even though most of them are CVS related or are simple version string changes. Be particularly careful about hashes in the output that have “files not in IGTF” next to them--they will be deleted!

11. Repeat Steps 9–11 until you’re happy with it all
12. Verify the igtf-1.25-update-script.sh by hand
13. Run the update script

    ./igtf-1.25-update-script.sh

    Yes, you must say yes to each file deletion!

14. Verify changes

    svn status

15. Update the INDEX.txt file. Don't miss the version number at the bottom of the page.

    Verify the contents of this file by running:

    ./validate_index.pl

16. Update the CHANGES file
17. Update the top-level defs file to reflect a new VDT CA certificates version
18. Commit all changes

    Be sure to mention the IGTF distribution version and the new VDT CA certificates version in your commit message.

19. Run the following to make the CA-Certificates.pacman file, manifest file, and rpm package.

    cd vdt-scripts
    ./release-certs.pl

20. Do a quick installation to check everything.
    • To check the CA-Certificates-Base.pacman, install from 1.8.1:

      pacman -get http://vdt.cs.wisc.edu/vdt_181_cache:CA-Certificates

    • To check the manifest file and certificates tarball, install the CA-Certificates package from 1.10.1 (or later), or force an update from the OSG-EDU CE.
    • To check the RPM - ???
21. Announce the new distribution by sending email to
    • goc@opensciencegrid.org
    • vdt-discuss@opensciencegrid.org

    Here's some text to get you started. Subject:

    VDT CA certificates updated with IGTF 1.25

    Message:

    The VDT team has updated its CA certificate distribution to reflect the contents
    of the IGTF 1.25 distribution. Information about the IGTF distribution is
    available at
    
    https://dist.eugridpma.info/distribution/igtf/current/
    
    Information about the contents of this VDT release (version 40) of the certificates is available at:
    
    http://vdt.cs.wisc.edu/releases/1.10.1/certificate_authorities.html?oldrelease=40
    For more information about the certificates and about updating your
    installation, follow the link for your VDT version:
    
    http://vdt.cs.wisc.edu/releases/1.10.1/certificate_authorities.html
    http://vdt.cs.wisc.edu/releases/1.8.1/certificate_authorities.html
    
    Please note that if you are using the VDT certificate updater
    (available since VDT 1.8.0), your certificates will be updated
    automatically. 
    
    As always, if you have questions, comments, or concerns, please let us know.