Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

Handling Updates to the IGTF Certificate Distribution

When the IGTF announces a new certificate distribution, use the following steps to update the VDT.

[Updated on 25-Jun-2010 to stop attempting to include FNAL_KCA, since it's not longer shipped or used.]
[Updated on 14-Dec-2008 to reflect new location of IGTF tar file.]
[Last updated by Scot on 14 September 2008 while changing how we distribute CA certs.]

  1. Change to a suitable directory
  2. Get the certificates

    The IGTF website is at, but the distribution is maintained at the EUGridPMA site. I usually start at the current distribution page, then fetch the installation bundle tarball.

  3. Unpack the certificates
    tar xzf igtf-policy-installation-bundle-1.49.tar.gz
  4. Make an installation directory
    mkdir made-igtf-1.49

    You must install the certificates before using them. Make sure the directory name ends with the IGTF version and that there are no other digits in the name. Sorry, I’m lazy.

  5. Configure the installation

    We want all of the IGTF accredited certificate authorities.

    $ cd igtf-policy-installation-bundle-1.49
    $ ./configure --prefix=../made-igtf-1.49 --with-profile=classic --with-profile=slcs --with-profile=mics
    Configuration of the IGTF bundle complete
    use "make install" to install the selected authorities in
  6. Install the certificates into your temporary directory
    $ make install
    Installing CAs for profile accredited:slcs
    install ../made-igtf-1.49/
    install src/accredited/a317c467.0 ../made-igtf-1.49/
    install src/accredited/9dd23746.namespaces ../made-igtf-1.49/
    install src/accredited/9dd23746.signing_policy ../made-igtf-1.49/
    Installing CAs for profile accredited:classic
    install ../made-igtf-1.49/
    install src/experimental/e1fce4e9.0 ../made-igtf-1.49/
    install src/experimental/ ../made-igtf-1.49/
    install src/experimental/e1fce4e9.namespaces ../made-igtf-1.49/
    install src/experimental/e1fce4e9.signing_policy ../made-igtf-1.49/
  7. Checkout the certificates branch
    svn co file:///p/vdt/workspace/svn/certs/trunk


    Make sure your checkout is up to date

    svn update
  8. Check over the script

    In particular, pay attention to the whitelist and blacklist definitions.

  9. Run the script
    $ ./ /scratch/roy/igtf/made-igtf-1.49 /u/r/o/roy/vdt/certs
    Checking CA certificates for updates:
        IGTF directory: /u/c/a/cat/ca-certificate-distributions/made-igtf-1.49
        VDT to update:  /p/condor/workspaces/cat/certs-trunk
    Updates to CA certificates, by hash:
        01621954 UKeScience                ... 2 files changed
        03aa0ecb BEGrid                    ... 1 file changed
        fa3af1d7 CERN                      ... 1 file changed
        fe102e03 DFN-GridGermany-Server    ... 2 files changed
  10. Review output and igtf-1.49-update-diffs.log

    Be sure to understand the differences, even though most of them are CVS related or are simple version string changes. Be particularly careful about hashes in the output that have “files not in IGTF” next to them--they will be deleted!

  11. Repeat Steps 9–11 until you’re happy with it all
  12. Verify the by hand
  13. Run the update script

    Yes, you must say yes to each file deletion!

  14. Verify changes
    svn status
  15. Update the INDEX.txt file. Don't miss the version number at the bottom of the page.

    Verify the contents of this file by running:

  16. Update the CHANGES file
  17. Update the top-level defs file to reflect a new VDT CA certificates version
  18. Commit all changes

    Be sure to mention the IGTF distribution version and the new VDT CA certificates version in your commit message.

  19. Run the following to make the CA-Certificates.pacman file, manifest file, and rpm package.
    cd vdt-scripts
  20. Do a quick installation to check everything.
    • To check the CA-Certificates-Base.pacman, install from 1.8.1:
      pacman -get
    • To check the manifest file and certificates tarball, install the CA-Certificates package from 1.10.1 (or later), or force an update from the OSG-EDU CE.
    • To check the RPM - ???
  21. Announce the new distribution by sending email to

    Here's some text to get you started. Subject:

    VDT CA certificates updated with IGTF 1.49


    The VDT team has updated its CA certificate distribution to reflect the contents
    of the IGTF 1.49 distribution. Information about the IGTF distribution is
    available at
    Information about the contents of this VDT release (version 40) of the certificates is available at:
    For more information about the certificates and about updating your
    installation, follow the link for your VDT version:
    Please note that if you are using the VDT certificate updater
    (available since VDT 1.8.0), your certificates will be updated
    As always, if you have questions, comments, or concerns, please let us know.