vdt-update-certs - Update the VDT CA certificate installation
vdt-update-certs [options] --vdt-install <location> --force --quiet --debug --help
This program is used to update the VDT CA certificate distribtion which in a location pointed to by a symlink, $VDT_LOCATION/globus/TRUSTED_CA.
Normally, this program is run by cron once every hour, but you can choose to run it manually if you prefer. From the command-line, the only interesting parameter to pass is --vdt-location, to specify where the VDT is installed. Normally you do not need to specify this parameter because it is obtained from the $VDT_LOCATION environment variable.
When this program runs, it exits immediately if the program has been successfully run in the last 24 hours. The --force command line option overrides this check, and forces the program to run. The reason for this is reliability: the VDT installation will set this program to run every hour via cron, but it has the goal of checking for an update every 24 hours. If the VDT web site is down, or some other serious error occurs, it retries an hour later in hopes that the error has resolved itself. Once the program has run successfully it will not try to do any updates for 24 hours.
When vdt-update-certs runs, if it finds a previous incarnation of itself still running, it will kill the old process before it runs.
When vdt-update-certs is run, it looks for a configuration file in $VDT_LOCATION/vdt/etc/vdt-update-certs.conf. This file is not necessary: there are reasonable defaults for everything that can be in the file. However, you can use it to customize the behavior of vdt-update-certs.
The configuration file can have blank lines as well as comment lines: comment lines begin with a hash mark (#).
Each option is of the form
The following configuration options can be specified:
This option is required.
The cacerts_url option specifies where to download the CA certificates from. For most users, you will be told what this URL should be. For people who are responsible for a CA certificate distribution, this should be the full URL to the description file, not the URL to the tarball or the directory containing these files.
The log option specifies where the log file for vdt-update-certs is located. The log file is always created. It defaults to $VDT_LOCATION/vdt/var/log/vdt-update-certs.log. Example:
This option is equivalent to the command line --debug option listed above. If enabled, it will provide more information in the log file. The default is to not print this information. To enable it:
The full pathname of a file to be copied into the CA certificates directory in addition to any files that are downloaded from the VDT. This can be used to add a CA that is not part of the VDT. It is necessary because when the VDT installs a new set of CA certificates it creates a directory and does not preserve anything that was previously part of the CA certificate directory. This option only allows a single file to be specified, but the option can be specified multiple times to include multiple files. The default for this option is not to include any files. Example:
include=/opt/local-ca/12345678.0 include=/opt/local-ca/12345678.signing_policy include=/opt/local-ca/12345678.crl_url
Note that you should not copy files into the CA certificates directory then specify the full path of the CA certificiates directory. Though it may seem like a handy shortcut, at the time the files are copied they will be in a different directory and the copy will fail.
The hash of a Certificate Authority to be removed from the CA certificates directory when they are installed. All files of the form <hash>.* will be removed. This is to remove any CA certificates that you do not wish to trust but are provided by the VDT. The default for this option is not to exclude any CAs. To exclude a CA with hash '87654321', include a line such as: