VDT logo
Search:

(Powered by Google)

Note: This version of the VDT (1.10.1) is supported, but is not our latest stable release. The current stable release is 2.0.0.

Maintaining a CA Certificate Distribution

This page contains instructions to help you maintain your own certificate authority certificates distribution. This is not necessary for installing the VDT. You can use the convenience IGTF distribution of certificates supplied by the VDT, or the distribution from the OSG Security Team (LINK TO THIS?) if you are a member of OSG. For more information, see this page.

Getting started

  1. Fetch the certificate distribution scripts from the VDT. They are located here.

    The contents: 

    certificates - Contains the CA certificates that will be distributed.  You can download these or use your own.
defs - File that contains version and path information
make-manifest - Script to generate the manifest for vdt-update-certs
validate_index.pl - A script to validate the INDEX.txt file in the certificates directory
process-igtf-distribution.pl - No documentation is available, but if you are using subversion or another versioning system, you might find this script useful for creating new certificate distributions.
vdt-scripts - Contains VDT specific scripts that you do not need to use
  2. Update the path and version information in the defs file. At a minimum, you will need to change the ROOT and the WEB_PATH. However, you might want to change the starting version number for your certificates as well. Pay attention to the TARBALL_PATH, this is where you will need to place your certificates tarball. 
        # Version info
    OUR_CERTS_MAJOR_VERSION - The major version number, version will appear as MAJOR-MINOR
    OUR_CERTS_MINOR_VERSION - The minor version number.  If MAJOR is 40 and MINOR is 2, the version will be 40-2.
    IGTF_CERTS_VERSION - This might not be applicable for your distribution.  It can be removed or commented.
    CERTS_DESCRIPTION - The description that will appear when vdt-version is run

    # Location info
    ROOT - The root location in your filesystem, e.g. /p/vdt/public/html
    CERTS_DIR - The location you will store certificates, e.g. $(ROOT)/software/certificates
    TARBALL_NAME - The name of your tarball, e.g. certificates-$(OUR_CERTS_MAJOR_VERSION)-$(OUR_CERTS_MINOR_VERSION).tar.gz
    TARBALL_PATH - The local location where the tarball will be stores, e.g. $(CERTS_DIR)/$(OUR_CERTS_MAJOR_VERSION)/$(TARBALL_NAME)
    WEB_PATH - The URL of the tarball file, e.g. http://vdt.cs.wisc.edu/software/certificates/$(TARBALL_NAME)
  3. Please let the VDT know that you are maintaining your own CA certificate distribution, and feel free to give us feedback on the process.

Releasing the certificates

  1. Put the certificates you want to distribute in the certificates directory.
  2. Update the INDEX.txt file in the certificates directory. Don't miss the version number at the bottom of the file.

    Verify the contents of this file by running validate_index.pl

  3. Update the CHANGES file in the certificates directory as appropriate.
  4. Update the defs file to reflect a new CA certificates version
  5. Create a tarball in the TARBALL_PATH location defined in your defs file. The tarball must contain exactly one directory which contains all the certificates, and that directory must be named certificates. 
    tar zcf TARBALL_PATH `find certificates ! -name \\*~ ! -name .#\\* ! -type d | grep -v '\.svn'`
  6. Run the make-manifest command to generate the manifest. This script will not work until the tarball is in place, because it needs to calculate the md5sum of the tarball.
  7. Do a quick installation to check everything. To check the manifest file and certificates tarball, force an update using vdt-update-certs --force from a test installation.

Using vdt-update-certs with your distribution