The VDT team updates the VDT CA certificate package independently of the rest of the VDT. When updates are announced, follow the instructions below to get them.
To find out what VDT version you have:
$ vdt-version | head -1 You have installed a subset of VDT version 1.10.1c:
To find out more information about your certificates, including information about vdt-update-certs and fetch-crl, run vdt-ca-certs-status. For example:
$ vdt-ca-certs-status
CA-Certificates Info:
Version: 36-1
vdt-update-certs info:
Last run: 2008-06-12T08-48-28
Last updated: 2008-06-12T08-48-28
Status: Installed and running
Fetch-CRL info:
Last run: 2008-06-12T08-44-27
Status: Installed and running
To find out the full version of the VDT-distributed CA certificates you have:
$ vdt-version | grep -i certificates
CA Certificates v49 (includes IGTF IGTF 1.29 CAs)
As of September 11, 2008, VDT 1.10.1 and later will no longer automatically install certificate authority certificates during installation. Why are we doing this? The VDT installation (outside of the OSG software stack) is intended to be a grid-agnostic software stack, but the set of Certificate Authorities you trust is a combination of the grid you are a member of and what CAs you personally trust. By making these changes, we do two things:
As of February 2nd, 2009 the VDT's CA distribution dropped all non-IGTF accredited CAs. Is is now only a convenience distribution of CA certificates. However, you (the user) will be required to select this distribution if it is what you want instead of another distribution. The VDT Team will provide this as a convenience, but not as a recommendation. Details on this transition
As an alternative, you will be able to fetch CA certificates from the GOC.
In order to complete the certificate installation, perform the following steps:
cacerts_url in the configuration file at
$VDT_LOCATION/vdt/etc/vdt-update-certs.conf
This file contains URLs to CA Certificate distributions including the OSG GOC distribution with certificates recommended by the OSG Security Team, as well as the VDT convenience distribution. You must uncomment one of these (or create your own), and then run the commands below to activate the certificate updates.
. $VDT_LOCATION/vdt-questions.sh; $VDT_LOCATION/vdt/sbin/vdt-setup-ca-certificates
Make sure vdt-update-certs is enabled, and it will fetch future certificate updates automatically.
vdt-control --enable vdt-update-certs vdt-control --on vdt-update-certs
To use this distribution, edit $VDT_LOCATION/vdt/etc/vdt-update-certs.conf and
set cacerts_url to:
http://vdt.cs.wisc.edu/software/certificates/vdt-igtf-ca-certs-version
To use this distribution, edit $VDT_LOCATION/vdt/etc/vdt-update-certs.conf and
set cacerts_url to:
http://software.grid.iu.edu/pacman/cadist/ca-certs-version
The most reliable method to update the certificates is to use our
automatic updater, which is installed along with the CA-Certificates
package. It's been available since VDT 1.8.0. You know it is
installed if $VDT_LOCATION/vdt/sbin/vdt-update-certs
exists. If it is not installed, you can install it with:
$ pacman -get http://vdt.cs.wisc.edu/vdt_1101_cache:CA-Certificates-Updater
If you installed as root, you can run it automatically via cron to keep your certificates up to date. You can also run it manually if you prefer. Just run:
$ cd $VDT_LOCATION $ vdt/sbin/vdt-update-certs
The vdt-update-certs script will check for a new update once per day. It runs hourly from the crontab so that if a check fails due to network problems or any other error, the next hour's check will be able to check for an update rather than waiting 24 hours.
More information on vdt-update-certs.
If you prefer to use an RPM, there is a single RPM containing all of
the CA certificates distributed by the VDT. You can install the RPM
manually or with yum. The certificates will be installed in /etc/grid-security/certificates.
Please note two caveats if you install with RPM. First, you should
tell the VDT not to install the CA certificates via Pacman. Second,
vdt-version will not report the correct version of the
installed certificates.
# rpm -ivh http://vdt.cs.wisc.edu/vdt_rpms/vdt-ca-certs/vdt-ca-certs-49-1.noarch.rpm
If you wish to download older versions of the RPM, you can find them here.
Direct link to vdt-ca-certs-49-1.noarch.rpm (The latest version)
/etc/yum.repos.d/vdt-ca-certs.repo.
Download vdt-ca-certs.repo
yum install vdt-ca-certs
yum update vdt-ca-certs
Note that YUM can do automatic updates. One some RedHat variants, you
can install a yum-cron package, which makes a cron job in
/etc/cron.daily to update YUM packages automatically.
If you do not trust a Certificate Authority, and would like to remove it from the distribution, follow these steps:
$VDT_LOCATION/vdt/etc/vdt-update-certs.conf, and add an
exclude_ca statement for this hash. This will automatically remove
any files associated with this hash anytime vdt-update-certs installs a new
certificate distribution.
exclude_ca=12345678
rm $VDT_LOCATION/globus/TRUSTED_CA/12345678.*
At install time, you have the choice to install your certificates into the "root" location (/etc/grid-security), or the "local" location, ($VDT_LOCATION/globus/share). If you would like to install your certificates into a custom location, for example, in order to put them on a shared filesystem, you can do the following setup:
$VDT_LOCATION/globus/share/nfs/ca-certs.
$VDT_LOCATION/globus/share to /nfs/ca-certs
cd $VDT_LOCATION/globus/share mv certificates-49-1 /nfs/ca-certs/ rm certificates cd /nfs/ca-certs ln -s /nfs/ca-certs/certificates-49-1 certificates
$VDT_LOCATION/globus/TRUSTED_CA link:
cd $VDT_LOCATION/globus rm TRUSTED_CA ln -s /nfs/ca-certs/certificates TRUSTED_CA
vdt-ca-certs-status command. This will report when Fetch-CRL last ran
and if it is currently running from the crontab.
# An example of everything setup and running correctly.
$ vdt-ca-certs-status
<snip>
Fetch-CRL info:
Last run: 2008-06-11T17-59-59
Status: Installed and running
# Watch for errors similar to the messages below.
$ vdt-ca-certs-status
<snip>
Fetch-CRL info:
Last run: 2008-05-20T05-11-07
WARNING: fetch-crl has not run in over 48 hours
Status: Installed, but not running via root's crontab
Curious about what has changed in each CA certificate release?
| Hash | Description | Contact | Source |
|---|---|---|---|
| 03aa0ecb | Belgium - BeGrid | https://gridra.belnet.be/pub/ | IGTF |
| 09ff08b7 | CNRS-Projets | http://igc.services.cnrs.fr/GRID-FR/ | IGTF |
| 0a12b607 | UGrid - Ukraine | https://ca.ugrid.org/ | IGTF |
| 0a2bac92 | Brazil - BrGrid | https://brgridca.ic.uff.br/ | IGTF |
| 1149214e | Germany - DFN-GridGermany-Root | http://www.pca.dfn.de/ | IGTF |
| 11b4a5a2 | Portugal - LIPCA | http://ca.lip.pt/ | IGTF |
| 12a1d8c2 | France - GRID-FR | http://igc.services.cnrs.fr/GRID-FR/ | IGTF |
| 163af95c | CNRS2 | http://igc.services.cnrs.fr/GRID-FR/ | IGTF |
| 1691b9ba | Turkey - TRGrid | http://www.grid.org.tr/ca/ | IGTF |
| 16da7552 | The Netherlands - NIKHEF | http://certificate.nikhef.nl/ | IGTF |
| 1c3f2ca8 | USA - DOE Grids | http://www.doegrids.org/ | IGTF |
| 1d879c6c | CERN-TCA | http://www.cern.ch/ca | IGTF |
| 1e12d831 | APAC | http://www.vpac.org/twiki/bin/view/APACgrid/CaInterface | IGTF |
| 1e43b9cc | Ireland - Grid-Ireland | http://www.cs.tcd.ie/grid-ireland/gi-ca/ | IGTF |
| 1f0e8352 | Nordic countries - NorduGrid | http://hep.nbi.dk/CA/ | IGTF |
| 1f3834d0 | RomanianGRID - Romania | http://www.romaniangrid.ro | IGTF |
| 2418a3f3 | BG-ACAD (Bulgarian Academic CA) | http://www.ca.acad.bg/ | IGTF |
| 24c3ccde | UNAM Grid - Mexico | http://ca.unamgrid.unam.mx/ | IGTF |
| 28a58577 | Greece - HellasGrid (Root 2006) | http://www.grid.auth.gr/pki/hellasgrid-root-ca-2006/ | IGTF |
| 295adc19 | Chile - REUNA CA | http://reuna-ca.reuna.cl/ | IGTF |
| 2a237f16 | Baltic States - Baltic Grid CA | http://ca.balticgrid.org/ | IGTF |
| 2ac09305 | TACC MICS | http://www.tacc.utexas.edu/CA/ | IGTF |
| 2f3fadf6 | INFN | http://security.fi.infn.it/CA/ | IGTF |
| 304cf809 | SWITCHslcs | http://www.switch.ch/pki/grid | IGTF |
| 3232b9bc | MREN - Montenegro | http://mren-ca.ac.me/ | IGTF |
| 34a509c3 | France - CNRS-Projets | http://igc.services.cnrs.fr/ | IGTF |
| 34f8e29c | Germany - DFN-GridGermany-User | http://www.pca.dfn.de/ | IGTF |
| 367b75c3 | UK eScience CA 2007 | http://www.grid-support.ac.uk/ca/ | IGTF |
| 393f7863 | Serbia - AEGIS | http://aegis-ca.rcub.bg.ac.yu/ | IGTF |
| 3d5be7bc | Slovenia - SiGNET CA | http://signet-ca.ijs.si/ | IGTF |
| 3f0f4285 | Venezuela - ULAGrid CA | http://ra.cecalc.ula.ve | IGTF |
| 71a89a47 | NCHC | http://ca.goc.nchc.org.tw/ | IGTF |
| 468d15b3 | Balkans - SeeGrid | http://www.grid.auth.gr/pki/seegrid-ca/ | IGTF |
| 4798da47 | HKU | http://ca.grid.hku.hk/ | IGTF |
| 47d3d1a0 | SWITCH-Personal-2007 | http://swisssign.net | IGTF |
| 55994d72 | Russia - RDIG | http://ca.grid.kiae.ru/RDIG/ | IGTF |
| 5cf9d536 | QuoVadis-Root-CA1 | http://www.switch.ch/pki/ | IGTF |
| 5e5501f3 | Hungary - KFKI RMKI | http://pki.kfki.hu/ | IGTF |
| 617ff41b | Japan - KEK | https://gridca.kek.jp/ | IGTF |
| 684261aa | US - TACC Root | http://www.tacc.utexas.edu/CA/ | IGTF |
| 6e3b436b | Austria - AustrianGrid | https://ca.austriangridca.at/ | IGTF |
| 6fee79b0 | Israel - IUCC | http://certificate.iucc.ac.il/ | IGTF |
| 709bed08 | BYGCA | http://ca.grid.by/ | IGTF |
| 722e5071 | Korea - KISTI 2007 | http://ca.gridcenter.or.kr/ | IGTF |
| 742edd45 | Latvia - LatGrid | http://grid.lumii.lv/?lang=en | IGTF |
| 7721d4d3 | PRAGMA-UCSD | http://goc.pragma-grid.net/ca/ | IGTF |
| 7b2d086c | Switzerland - SwissSign (Root) | http://swisssign.net/ | IGTF |
| 7b54708e | Morocco: MAGrid CA | http://www.magrid.ma/ca | IGTF |
| 7d0d064a | MARGI - Macedonia | http://www.margi-ca.marnet.net.mk | IGTF |
| 82b36fca | Greece - HellasGrid (2006) | http://www.grid.auth.gr/pki/hellasgrid-root-ca-2006/ | IGTF |
| 8a047de1 | NECTEC GOC | http://gridca.hpcc.nectec.or.th/ | IGTF |
| 8a661490 | Poland - PolishGrid | http://www.man.poznan.pl/plgrid-ca/ | IGTF |
| 98ef0ee5 | UK eScience Root CA 2007 | http://www.grid-support.ac.uk/ca/ | IGTF |
| 9b59ecad | Czech Republic - CESNET | http://www.cesnet.cz/pki/ | IGTF |
| 9b95bbf2 | USA - NCSA MICS | http://security.ncsa.uiuc.edu/CA/ | IGTF |
| 9cd75e87 | Academia Sinica Grid CA 2007 | http://ca.grid.sinica.edu.tw/ | IGTF |
| 9dd23746 | pkIRISGRID | http://www.irisgrid.es/pki/ | IGTF |
| 9ff26ea4 | MD-Grid | http://ca.grid.md/ | IGTF |
| a02131f7 | DFN-SLCS | http://www.pki.dfn.de/index.php?id=slcs | IGTF |
| a317c467 | Japan - AIST | https://www.apgrid.org/CA/AIST/Production/ | IGTF |
| a87d9192 | Japan - NAREGI | https://www.naregi.org/ca/ | IGTF |
| a9082267 | Latin American and Caribbean Catch-all Grid CA | http://lacgridca.ic.uff.br/ | IGTF |
| afe55e66 | Cyprus - CyGrid | http://grid.ucy.ac.cy/CyGridCA/ | IGTF |
| b2771d44 | China - CNIC Grid CA | http://ca.grid.cn/en/ | IGTF |
| b7bcb7b2 | Argentina - UNPL Grid CA | https://www.pkigrid.unlp.edu.ar/ | IGTF |
| ba2f39ca | China - IHEP | https://gridca.ihep.ac.cn/ | IGTF |
| b93d6240 | NERSC SLCS CA | http://certs.nersc.gov/ | IGTF |
| bffbd7d0 | GridCanada | http://www.gridcanada.ca/ca | IGTF |
| ce33db76 | IRAN-GRID | http://cagrid.ipm.ac.ir/ | IGTF |
| c4435d12 | Switzerland - SwissSign (SWITCH) | http://swisssign.net/ | IGTF |
| c48c63f3 | China - CNIC SDG CA | http://ca.sdg.grid.cn/en/ | IGTF |
| cc800af0 | Hungary - NIIF | http://www.ca.niif.hu/ | IGTF |
| cf4ba8c8 | France - CNRS (EDG Catch-all CA) | http://igc.services.cnrs.fr/ | IGTF |
| d0c2a341 | Armenia - ArmeSFo | http://www.escience.am/ca/ | IGTF |
| d0b701c0 | SWITCHGrid Root | http://www.switch.ch/pki/grid | IGTF |
| d11f973e | CNRS2-Grid-FR | http://igc.services.cnrs.fr/GRID-FR/ | IGTF |
| d1737728 | NGO-Netrust | http://netrustconnector.netrust.net/ | IGTF |
| d1b603c3 | US - ESnet Root | http://www.doegrids.org/ | IGTF |
| d254cc30 | CERN-ROOT | http://www.cern.ch/ca | IGTF |
| da75f6a8 | Indian Grid CA | http://ca.garudaindia.in/ | IGTF |
| dd4b34ea | Germany - GermanGrid | http://grid.fzk.de/ | IGTF |
| e13e0fcf | Slovakia - SlovakGrid | http://ups.savba.sk/ca/ | IGTF |
| e1fce4e9 | Fermilab KCA CA | https://computing.fnal.gov/security/pki/ | IGTF |
| e36e7a72 | Switzerland - SwissSign (Bronze) | http://swisssign.net/ | IGTF |
| e5cc84c2 | US - TACC Root | http://www.tacc.utexas.edu/CA/ | IGTF |
| e72045ce | SWITCH-QuoVadis-Grid-ICA | http://www.switch.ch/grid/certificates/ | IGTF |
| e8ac4b61 | NCSA GridShib CA | http://security.ncsa.uiuc.edu/CA/ | IGTF |
| e8d818e6 | BEGrid2008 | https://gridra.begrid.be/ | IGTF |
| e9d08b40 | Switzerland - SwissSign (Silver) | http://swisssign.net/ | IGTF |
| eebc7717 | SWITCH-Server-2007 | http://swisssign.net/ | IGTF |
| f2e89fe3 | USA - NCSA SLCS | http://security.ncsa.uiuc.edu/CA/ | IGTF |
| f5ead794 | PK-Grid-2007 | http://www.ncp.edu.pk/pk-grid-ca/ | IGTF |
| fe102e03 | Germany - DFN-GridGermany-Server | http://www.pca.dfn.de/ | IGTF |
| ff94d436 | Croatia - SRCE | http://ra.srce.hr/ | IGTF |