Renewing Machine and Service Certificates

We need to keep valid certificates for the VDT machines and some of the services then run. When certificates have expired or are about to expire, follow these instructions to renew them.

Prepare Workspace

There are a few parts of the VDT that help with the overall task:

1. In a personal work area on a CSL machine, create a directory to hold some VDT components
2. Install the Globus-Base-Essentials package
3. Source the VDT setup file for your shell
4. Run vdt/setup/configure_cert_request --ca=1c3f2ca8
5. Change to the $X509_CERT_DIR/doegrids directory
6. Set the GRID_SECURITY_DIR environment variable to $VDT_LOCATION/globus/share
(skip if are using version 1.3.6 or older)

Generate Certificate Request(s)

For each machine or service certificate that needs renewing:

1. Run doegrids-cert-request:
   • Supply the -host switch with the fully-qualified hostname
   • If requesting a service certificate, supply the -service switch and the service identifier

   Examples:

   ./doegrids-cert-request -host vdt-redhat9.cs.wisc.edu
   ./doegrids-cert-request -host vdt-redhat9.cs.wisc.edu -service ldap

   The command output tells where it saved the resulting .pem files, such as $VDT_LOCATION/globus/share or $VDT_LOCATION/globus/share/<service>.

2. If needed, create the machine-specific certificate directories:
   • /p/condor/home/certificates/<machine>
   • /p/condor/home/certificates/<machine>/<service>
3. Copy the .pem files generated above to the machine-specific certificate directory

   For example:

   cp $VDT_LOCATION/globus/share/*.pem /p/condor/home/certificates/vdt-sles9-ia64/

Get New Certificate(s)

Presently, only Alain can do this step.

Update Certificate(s)

Once you have the new certificate(s):

1. As yourself on a CSL machine, change to the /p/vdt/workspace/grid-security directory
2. Run make-tarballs
3. Wait five minutes and what will dist out the updated files