Note: This version of the VDT (1.8.1) is supported, but is not our latest stable release. The current stable release is 1.10.1.
The VDT team updates the VDT CA certificate package independently of the rest of the VDT. When updates are announced, follow the instructions below to get them.
To find out what VDT version you have:
$ vdt-version | head -1 You have installed a subset of VDT version 1.8.1a:
To find out what version of the VDT-distributed CA certificates you have:
$ vdt-version | grep -i certificates
CA Certificates v39 (includes IGTF IGTF 1.24 CAs)
The most reliable method to update the certificates is to use our
automatic updater. It's been available since VDT 1.8.0. You know it is
installed if $VDT_LOCATION/vdt/sbin/vdt-update-certs
exists. If it is not installed, you can install it with:
$ pacman -get http://vdt.cs.wisc.edu/vdt_181_cache:CA-Certificates-Updater
If you installed as root, you can run it automatically via cron. It runs once per day, and your certificates will be kept up to date. You can also run it manually if you prefer. Just run:
$ cd $VDT_LOCATION $ vdt/sbin/vdt-update-certs
More information on vdt-update-certs...
If you prefer to use an RPM, there is a single RPM containing all of
the CA certificates distributed by the VDT. You can install the RPM
manually or with yum. The certificates will be installed in /etc/grid-security/certificates.
Please note two caveats if you install with RPM. First, you should
tell the VDT not to install the CA certificates via Pacman. Second,
vdt-version will not report the correct version of the
installed certificates.
# rpm -ivh http://vdt.cs.wisc.edu/vdt_rpms/vdt-ca-certs/vdt-ca-certs-39-2.noarch.rpm
If you wish to download older versions of the RPM, you can find them here.
Direct link to vdt-ca-certs-39-2.noarch.rpm (The latest version)
/etc/yum.repos.d/vdt-ca-certs.repo.
Download vdt-ca-certs.repo
yum install vdt-ca-certs
yum update vdt-ca-certs
Note that YUM can do automatic updates. One some RedHat variants, you
can install a yum-cron package, which makes a cron job in
/etc/cron.daily to update YUM packages automatically.
If for some reason you do not with to use the automatic updater, you can use Pacman. In our experience, this method almost always works, but has occasional failures.
$ cd $VDT_LOCATION $ pacman -update CA-Certificates About to begin uninstalling [...:CA-Certificates]... ... Package [...:CA-Certificates] successfully installed...
If you do not trust a Certificate Authority, and would like to remove it from the distribution, follow these steps:
# ls $VDT_LOCATION/globus/TRUSTED_CA/12345678.* 12345678.0 12345678.crl_url 12345678.info 12345678.namespaces 12345678.r0 12345678.signing_policy
$VDT_LOCATION/vdt/etc/vdt-update-certs.conf, and add these files to the
exclude section. This will automatically remove these files anytime
vdt-update-certs installs a new certificate distribution.
exclude=12345678.0 exclude=12345678.crl_url exclude=12345678.info exclude=12345678.namespaces exclude=12345678.r0 exclude=12345678.signing_policy
rm $VDT_LOCATION/globus/TRUSTED_CA/12345678.*
At install time, you have the choice to install your certificates into the "root" location (/etc/grid-security), or the "local" location, ($VDT_LOCATION/globus/share). If you would like to install your certificates into a custom location, for example, in order to put them on a shared filesystem, you can do the following setup:
$VDT_LOCATION/globus/share/nfs/ca-certs.
$VDT_LOCATION/globus/share to /nfs/ca-certs
cd $VDT_LOCATION/globus/share mv certificates-39-2 /nfs/ca-certs/ rm certificates cd /nfs/ca-certs ln -s /nfs/ca-certs/certificates-39-2 certificates
$VDT_LOCATION/globus/TRUSTED_CA link:
cd $VDT_LOCATION/globus rm TRUSTED_CA ln -s /nfs/ca-certs/certificates TRUSTED_CA
Curious about what has changed in each CA certificate release?
| Hash | Description | Contact | Source |
|---|---|---|---|
| 03aa0ecb | Belgium - BeGrid | https://gridra.belnet.be/pub/ | IGTF |
| 0a12b607 | UGrid - Ukraine | https://ca.ugrid.org/ | IGTF |
| 0a2bac92 | Brazil - BrGrid | https://brgridca.ic.uff.br/ | IGTF |
| 1149214e | Germany - DFN-GridGermany-Root | http://www.pca.dfn.de/ | IGTF |
| 11b4a5a2 | Portugal - LIPCA | http://ca.lip.pt/ | IGTF |
| 12a1d8c2 | France - GRID-FR | http://igc.services.cnrs.fr/GRID-FR/ | IGTF |
| 1691b9ba | Turkey - TRGrid | http://www.grid.org.tr/ca/ | IGTF |
| 16da7552 | The Netherlands - NIKHEF | http://certificate.nikhef.nl/ | IGTF |
| 1c3f2ca8 | USA - DOE Grids | http://www.doegrids.org/ | IGTF and TeraGrid |
| 1d879c6c | CERN-TCA | http://www.cern.ch/ca | IGTF |
| 1e12d831 | APAC | http://www.vpac.org/twiki/bin/view/APACgrid/CaInterface | IGTF |
| 1e43b9cc | Ireland - Grid-Ireland | http://www.cs.tcd.ie/grid-ireland/gi-ca/ | IGTF |
| 1f0e8352 | Nordic countries - NorduGrid | http://hep.nbi.dk/CA/ | IGTF |
| 1f3834d0 | RomanianGRID - Romania | http://www.romaniangrid.ro | IGTF |
| 2418a3f3 | BG-ACAD (Bulgarian Academic CA) | http://www.ca.acad.bg/ | IGTF |
| 24c3ccde | UNAM Grid - Mexico | http://ca.unamgrid.unam.mx/ | IGTF |
| 28a58577 | Greece - HellasGrid (Root 2006) | http://www.grid.auth.gr/pki/hellasgrid-root-ca-2006/ | IGTF |
| 290a3b29 | USA - PSC Kerberos CA | http://www.psc.edu/ca/ | TeraGrid |
| 295adc19 | Chile - REUNA CA | http://reuna-ca.reuna.cl/ | IGTF |
| 2a237f16 | Baltic States - Baltic Grid CA | http://ca.balticgrid.org/ | IGTF |
| 2f3fadf6 | INFN | http://security.fi.infn.it/CA/ | IGTF |
| 304cf809 | SWITCHslcs | http://www.switch.ch/pki/grid | IGTF |
| 3232b9bc | MREN - Montenegro | http://mren-ca.ac.me/ | IGTF |
| 34a509c3 | France - CNRS-Projets | http://igc.services.cnrs.fr/ | IGTF |
| 34f8e29c | Germany - DFN-GridGermany-User | http://www.pca.dfn.de/ | IGTF |
| 367b75c3 | UK eScience CA 2007 | http://www.grid-support.ac.uk/ca/ | IGTF |
| 393f7863 | Serbia - AEGIS | http://aegis-ca.rcub.bg.ac.yu/ | IGTF |
| 3d5be7bc | Slovenia - SiGNET CA | http://signet-ca.ijs.si/ | IGTF |
| 3deda549 | San Diego Supercomputing Center | http://www.sdsc.edu/CA/ | TeraGrid |
| 468d15b3 | Balkans - SeeGrid | http://www.grid.auth.gr/pki/seegrid-ca/ | IGTF |
| 47d3d1a0 | SWITCH-Personal-2007 | http://swisssign.net | IGTF |
| 4a6cd8b1 | USA - NCSA | http://security.ncsa.uiuc.edu/CA/ | IGTF |
| 55994d72 | Russia - RDIG | http://ca.grid.kiae.ru/RDIG/ | IGTF |
| 566bf40f | Estonia - Estonian Grid | http://grid.eenet.ee/ | IGTF |
| 5e5501f3 | Hungary - KFKI RMKI | http://pki.kfki.hu/ | IGTF |
| 617ff41b | Japan - KEK | https://gridca.kek.jp/ | IGTF |
| 67e8acfa | Purdue TeraGrid RA | http://tg-ca.purdue.teragrid.org:8080/ejbca/ | TeraGrid |
| 6e3b436b | Austria - AustrianGrid | https://ca.austriangridca.at/ | IGTF |
| 6fee79b0 | Israel - IUCC | http://certificate.iucc.ac.il/ | IGTF |
| 722e5071 | Korea - KISTI 2007 | http://ca.gridcenter.or.kr/ | IGTF |
| 7721d4d3 | PRAGMA-UCSD | http://goc.pragma-grid.net/ca/ | IGTF |
| 7b2d086c | Switzerland - SwissSign (Root) | http://swisssign.net/ | IGTF |
| 7b54708e | Morocco: MAGrid CA | http://www.magrid.ma/ca | IGTF |
| 7d0d064a | MARGI - Macedonia | http://www.margi-ca.marnet.net.mk | IGTF |
| 82b36fca | Greece - HellasGrid (2006) | http://www.grid.auth.gr/pki/hellasgrid-root-ca-2006/ | IGTF |
| 8a047de1 | NECTEC GOC | http://gridca.hpcc.nectec.or.th/ | IGTF |
| 8a661490 | Poland - PolishGrid | http://www.man.poznan.pl/plgrid-ca/ | IGTF |
| 95009ddc | Purdue CA | http://tg-ca.purdue.teragrid.org:8080/ejbca/ | TeraGrid |
| 98ef0ee5 | UK eScience Root CA 2007 | http://www.grid-support.ac.uk/ca/ | IGTF |
| 9a1da9f9 | TACC | http://www.tacc.utexas.edu/CA/ | TeraGrid |
| 9b59ecad | Czech Republic - CESNET | http://www.cesnet.cz/pki/ | IGTF |
| 9b88e95b | USA - PSC Root CA | http://www.psc.edu/ca/ | TeraGrid |
| 9b95bbf2 | USA - NCSA MICS | http://security.ncsa.uiuc.edu/CA/ | IGTF |
| 9cd75e87 | Academia Sinica Grid CA 2007 | http://ca.grid.sinica.edu.tw/ | IGTF |
| 9dd23746 | pkIRISGRID | http://www.irisgrid.es/pki/ | IGTF |
| a317c467 | Japan - AIST | https://www.apgrid.org/CA/AIST/Production/ | IGTF |
| a87d9192 | Japan - NAREGI | https://www.naregi.org/ca/ | IGTF |
| a9082267 | Latin American and Caribbean Catch-all Grid CA | http://lacgridca.ic.uff.br/ | IGTF |
| acc06fda | USA - PSC Hosts CA | http://www.psc.edu/ca/ | TeraGrid |
| afe55e66 | Cyprus - CyGrid | http://grid.ucy.ac.cy/CyGridCA/ | IGTF |
| b2771d44 | China - CNIC Grid CA | http://ca.grid.cn/en/ | IGTF |
| b7bcb7b2 | Argentina - UNPL Grid CA | https://www.pkigrid.unlp.edu.ar/ | IGTF |
| b89793e4 | NPACI | http://www.npaci.edu/CA/ | TeraGrid |
| ba2f39ca | China - IHEP | https://gridca.ihep.ac.cn/ | IGTF |
| bffbd7d0 | GridCanada | http://www.gridcanada.ca/ca | IGTF |
| ce33db76 | IRAN-GRID | http://cagrid.ipm.ac.ir/ | IGTF |
| c4435d12 | Switzerland - SwissSign (SWITCH) | http://swisssign.net/ | IGTF |
| c48c63f3 | China - CNIC SDG CA | http://ca.sdg.grid.cn/en/ | IGTF |
| cc800af0 | Hungary - NIIF | http://www.ca.niif.hu/ | IGTF |
| cf4ba8c8 | France - CNRS (EDG Catch-all CA) | http://igc.services.cnrs.fr/ | IGTF |
| d0c2a341 | Armenia - ArmeSFo | http://www.escience.am/ca/ | IGTF |
| d0b701c0 | SWITCHGrid Root | http://www.switch.ch/pki/grid | IGTF |
| d1737728 | NGO-Netrust | http://www.netrust.net | IGTF |
| d1b603c3 | US - ESnet Root | http://www.doegrids.org/ | IGTF and TeraGrid |
| d254cc30 | CERN-ROOT | http://www.cern.ch/ca | IGTF |
| d2a353a5 | Pakistan - PK Grid CA | http://www.ncp.edu.pk/pk-grid-ca/ | IGTF |
| dd4b34ea | Germany - GermanGrid | http://grid.fzk.de/ | IGTF |
| e13e0fcf | Slovakia - SlovakGrid | http://ups.savba.sk/ca/ | IGTF |
| e1fce4e9 | Fermilab KCA CA | https://computing.fnal.gov/security/pki/ | IGTF |
| e36e7a72 | Switzerland - SwissSign (Bronze) | http://swisssign.net/ | IGTF |
| e9d08b40 | Switzerland - SwissSign (Silver) | http://swisssign.net/ | IGTF |
| eebc7717 | SWITCH-Server-2007 | http://swisssign.net/ | IGTF |
| f2e89fe3 | USA - NCSA SLCS | http://security.ncsa.uiuc.edu/CA/ | IGTF |
| f5ead794 | PK-Grid-2007 | http://www.ncp.edu.pk/pk-grid-ca/ | IGTF |
| fe102e03 | Germany - DFN-GridGermany-Server | http://www.pca.dfn.de/ | IGTF |
| ff94d436 | Croatia - SRCE | http://ra.srce.hr/ | IGTF |