Note: This version of the VDT (1.8.1) is supported, but is not our latest stable release. The current stable release is 1.10.1.
The VDT team updates the VDT CA certificate package independently of the rest of the VDT. When updates are announced, follow the instructions below to get them.
To find out what VDT version you have:
$ vdt-version | head -1 You have installed a subset of VDT version 1.8.1a:
To find out what version of the VDT-distributed CA certificates you have:
$ vdt-version | grep -i certificates
CA Certificates v49 (includes IGTF IGTF 1.29 CAs)
The most reliable method to update the certificates is to use our
automatic updater. It's been available since VDT 1.8.0. You know it is
installed if $VDT_LOCATION/vdt/sbin/vdt-update-certs
exists. If it is not installed, you can install it with:
$ pacman -get http://vdt.cs.wisc.edu/vdt_181_cache:CA-Certificates-Updater
If you installed as root, you can run it automatically via cron. It runs once per day, and your certificates will be kept up to date. You can also run it manually if you prefer. Just run:
$ cd $VDT_LOCATION $ vdt/sbin/vdt-update-certs
Choosing a CA certificate distribution
As of September 11, 2008, the OSG GOC now maintains a CA certificate
distribution recommended by the OSG Security Team. The VDT will continue
to distribute the CA certificates as well, however, in the near future
(exact date to be announced), the VDT will ship a convenience distribution
of CA certificates which will be the set of IGTF-accredited CA certificates.
(Please note that this means we will not be distributing the TeraGrid CAs or
the Fermilab KCA anymore, just the IGTF-accredited CAs.) For VDT 1.8.1, the
default is to use the VDT's distribution. If you wish to switch to the GOC
distribution, you can make the a change in your vdt-update-certs
configuration file to do so:
$VDT_LOCATION/vdt/etc/vdt-update-certs.conf
cacerts_url = http://software.grid.iu.edu/pacman/cadist/ca-certs-version
vdt-update-certs --force
More information on vdt-update-certs...
If you prefer to use an RPM, there is a single RPM containing all of
the CA certificates distributed by the VDT. You can install the RPM
manually or with yum. The certificates will be installed in /etc/grid-security/certificates.
Please note two caveats if you install with RPM. First, you should
tell the VDT not to install the CA certificates via Pacman. Second,
vdt-version will not report the correct version of the
installed certificates.
# rpm -ivh http://vdt.cs.wisc.edu/vdt_rpms/vdt-ca-certs/vdt-ca-certs-49-1.noarch.rpm
If you wish to download older versions of the RPM, you can find them here.
Direct link to vdt-ca-certs-49-1.noarch.rpm (The latest version)
/etc/yum.repos.d/vdt-ca-certs.repo.
Download vdt-ca-certs.repo
yum install vdt-ca-certs
yum update vdt-ca-certs
Note that YUM can do automatic updates. One some RedHat variants, you
can install a yum-cron package, which makes a cron job in
/etc/cron.daily to update YUM packages automatically.
If for some reason you do not with to use the automatic updater, you can use Pacman. In our experience, this method almost always works, but has occasional failures.
$ cd $VDT_LOCATION $ pacman -update CA-Certificates About to begin uninstalling [...:CA-Certificates]... ... Package [...:CA-Certificates] successfully installed...
If you do not trust a Certificate Authority, and would like to remove it from the distribution, follow these steps:
# ls $VDT_LOCATION/globus/TRUSTED_CA/12345678.* 12345678.0 12345678.crl_url 12345678.info 12345678.namespaces 12345678.r0 12345678.signing_policy
$VDT_LOCATION/vdt/etc/vdt-update-certs.conf, and add these files to the
exclude section. This will automatically remove these files anytime
vdt-update-certs installs a new certificate distribution.
exclude=12345678.0 exclude=12345678.crl_url exclude=12345678.info exclude=12345678.namespaces exclude=12345678.r0 exclude=12345678.signing_policy
rm $VDT_LOCATION/globus/TRUSTED_CA/12345678.*
At install time, you have the choice to install your certificates into the "root" location (/etc/grid-security), or the "local" location, ($VDT_LOCATION/globus/share). If you would like to install your certificates into a custom location, for example, in order to put them on a shared filesystem, you can do the following setup:
$VDT_LOCATION/globus/share/nfs/ca-certs.
$VDT_LOCATION/globus/share to /nfs/ca-certs
cd $VDT_LOCATION/globus/share mv certificates-49-1 /nfs/ca-certs/ rm certificates cd /nfs/ca-certs ln -s /nfs/ca-certs/certificates-49-1 certificates
$VDT_LOCATION/globus/TRUSTED_CA link:
cd $VDT_LOCATION/globus rm TRUSTED_CA ln -s /nfs/ca-certs/certificates TRUSTED_CA
Curious about what has changed in each CA certificate release?
| Hash | Description | Contact | Source |
|---|---|---|---|
| 03aa0ecb | Belgium - BeGrid | https://gridra.belnet.be/pub/ | IGTF |
| 09ff08b7 | CNRS-Projets | http://igc.services.cnrs.fr/GRID-FR/ | IGTF |
| 0a12b607 | UGrid - Ukraine | https://ca.ugrid.org/ | IGTF |
| 0a2bac92 | Brazil - BrGrid | https://brgridca.ic.uff.br/ | IGTF |
| 1149214e | Germany - DFN-GridGermany-Root | http://www.pca.dfn.de/ | IGTF |
| 11b4a5a2 | Portugal - LIPCA | http://ca.lip.pt/ | IGTF |
| 12a1d8c2 | France - GRID-FR | http://igc.services.cnrs.fr/GRID-FR/ | IGTF |
| 163af95c | CNRS2 | http://igc.services.cnrs.fr/GRID-FR/ | IGTF |
| 1691b9ba | Turkey - TRGrid | http://www.grid.org.tr/ca/ | IGTF |
| 16da7552 | The Netherlands - NIKHEF | http://certificate.nikhef.nl/ | IGTF |
| 1c3f2ca8 | USA - DOE Grids | http://www.doegrids.org/ | IGTF |
| 1d879c6c | CERN-TCA | http://www.cern.ch/ca | IGTF |
| 1e12d831 | APAC | http://www.vpac.org/twiki/bin/view/APACgrid/CaInterface | IGTF |
| 1e43b9cc | Ireland - Grid-Ireland | http://www.cs.tcd.ie/grid-ireland/gi-ca/ | IGTF |
| 1f0e8352 | Nordic countries - NorduGrid | http://hep.nbi.dk/CA/ | IGTF |
| 1f3834d0 | RomanianGRID - Romania | http://www.romaniangrid.ro | IGTF |
| 2418a3f3 | BG-ACAD (Bulgarian Academic CA) | http://www.ca.acad.bg/ | IGTF |
| 24c3ccde | UNAM Grid - Mexico | http://ca.unamgrid.unam.mx/ | IGTF |
| 28a58577 | Greece - HellasGrid (Root 2006) | http://www.grid.auth.gr/pki/hellasgrid-root-ca-2006/ | IGTF |
| 295adc19 | Chile - REUNA CA | http://reuna-ca.reuna.cl/ | IGTF |
| 2a237f16 | Baltic States - Baltic Grid CA | http://ca.balticgrid.org/ | IGTF |
| 2ac09305 | TACC MICS | http://www.tacc.utexas.edu/CA/ | IGTF |
| 2f3fadf6 | INFN | http://security.fi.infn.it/CA/ | IGTF |
| 304cf809 | SWITCHslcs | http://www.switch.ch/pki/grid | IGTF |
| 3232b9bc | MREN - Montenegro | http://mren-ca.ac.me/ | IGTF |
| 34a509c3 | France - CNRS-Projets | http://igc.services.cnrs.fr/ | IGTF |
| 34f8e29c | Germany - DFN-GridGermany-User | http://www.pca.dfn.de/ | IGTF |
| 367b75c3 | UK eScience CA 2007 | http://www.grid-support.ac.uk/ca/ | IGTF |
| 393f7863 | Serbia - AEGIS | http://aegis-ca.rcub.bg.ac.yu/ | IGTF |
| 3d5be7bc | Slovenia - SiGNET CA | http://signet-ca.ijs.si/ | IGTF |
| 3f0f4285 | Venezuela - ULAGrid CA | http://ra.cecalc.ula.ve | IGTF |
| 71a89a47 | NCHC | http://ca.goc.nchc.org.tw/ | IGTF |
| 468d15b3 | Balkans - SeeGrid | http://www.grid.auth.gr/pki/seegrid-ca/ | IGTF |
| 4798da47 | HKU | http://ca.grid.hku.hk/ | IGTF |
| 47d3d1a0 | SWITCH-Personal-2007 | http://swisssign.net | IGTF |
| 55994d72 | Russia - RDIG | http://ca.grid.kiae.ru/RDIG/ | IGTF |
| 5cf9d536 | QuoVadis-Root-CA1 | http://www.switch.ch/pki/ | IGTF |
| 5e5501f3 | Hungary - KFKI RMKI | http://pki.kfki.hu/ | IGTF |
| 617ff41b | Japan - KEK | https://gridca.kek.jp/ | IGTF |
| 684261aa | US - TACC Root | http://www.tacc.utexas.edu/CA/ | IGTF |
| 6e3b436b | Austria - AustrianGrid | https://ca.austriangridca.at/ | IGTF |
| 6fee79b0 | Israel - IUCC | http://certificate.iucc.ac.il/ | IGTF |
| 709bed08 | BYGCA | http://ca.grid.by/ | IGTF |
| 722e5071 | Korea - KISTI 2007 | http://ca.gridcenter.or.kr/ | IGTF |
| 742edd45 | Latvia - LatGrid | http://grid.lumii.lv/?lang=en | IGTF |
| 7721d4d3 | PRAGMA-UCSD | http://goc.pragma-grid.net/ca/ | IGTF |
| 7b2d086c | Switzerland - SwissSign (Root) | http://swisssign.net/ | IGTF |
| 7b54708e | Morocco: MAGrid CA | http://www.magrid.ma/ca | IGTF |
| 7d0d064a | MARGI - Macedonia | http://www.margi-ca.marnet.net.mk | IGTF |
| 82b36fca | Greece - HellasGrid (2006) | http://www.grid.auth.gr/pki/hellasgrid-root-ca-2006/ | IGTF |
| 8a047de1 | NECTEC GOC | http://gridca.hpcc.nectec.or.th/ | IGTF |
| 8a661490 | Poland - PolishGrid | http://www.man.poznan.pl/plgrid-ca/ | IGTF |
| 98ef0ee5 | UK eScience Root CA 2007 | http://www.grid-support.ac.uk/ca/ | IGTF |
| 9b59ecad | Czech Republic - CESNET | http://www.cesnet.cz/pki/ | IGTF |
| 9b95bbf2 | USA - NCSA MICS | http://security.ncsa.uiuc.edu/CA/ | IGTF |
| 9cd75e87 | Academia Sinica Grid CA 2007 | http://ca.grid.sinica.edu.tw/ | IGTF |
| 9dd23746 | pkIRISGRID | http://www.irisgrid.es/pki/ | IGTF |
| 9ff26ea4 | MD-Grid | http://ca.grid.md/ | IGTF |
| a02131f7 | DFN-SLCS | http://www.pki.dfn.de/index.php?id=slcs | IGTF |
| a317c467 | Japan - AIST | https://www.apgrid.org/CA/AIST/Production/ | IGTF |
| a87d9192 | Japan - NAREGI | https://www.naregi.org/ca/ | IGTF |
| a9082267 | Latin American and Caribbean Catch-all Grid CA | http://lacgridca.ic.uff.br/ | IGTF |
| afe55e66 | Cyprus - CyGrid | http://grid.ucy.ac.cy/CyGridCA/ | IGTF |
| b2771d44 | China - CNIC Grid CA | http://ca.grid.cn/en/ | IGTF |
| b7bcb7b2 | Argentina - UNPL Grid CA | https://www.pkigrid.unlp.edu.ar/ | IGTF |
| ba2f39ca | China - IHEP | https://gridca.ihep.ac.cn/ | IGTF |
| b93d6240 | NERSC SLCS CA | http://certs.nersc.gov/ | IGTF |
| bffbd7d0 | GridCanada | http://www.gridcanada.ca/ca | IGTF |
| ce33db76 | IRAN-GRID | http://cagrid.ipm.ac.ir/ | IGTF |
| c4435d12 | Switzerland - SwissSign (SWITCH) | http://swisssign.net/ | IGTF |
| c48c63f3 | China - CNIC SDG CA | http://ca.sdg.grid.cn/en/ | IGTF |
| cc800af0 | Hungary - NIIF | http://www.ca.niif.hu/ | IGTF |
| cf4ba8c8 | France - CNRS (EDG Catch-all CA) | http://igc.services.cnrs.fr/ | IGTF |
| d0c2a341 | Armenia - ArmeSFo | http://www.escience.am/ca/ | IGTF |
| d0b701c0 | SWITCHGrid Root | http://www.switch.ch/pki/grid | IGTF |
| d11f973e | CNRS2-Grid-FR | http://igc.services.cnrs.fr/GRID-FR/ | IGTF |
| d1737728 | NGO-Netrust | http://netrustconnector.netrust.net/ | IGTF |
| d1b603c3 | US - ESnet Root | http://www.doegrids.org/ | IGTF |
| d254cc30 | CERN-ROOT | http://www.cern.ch/ca | IGTF |
| da75f6a8 | Indian Grid CA | http://ca.garudaindia.in/ | IGTF |
| dd4b34ea | Germany - GermanGrid | http://grid.fzk.de/ | IGTF |
| e13e0fcf | Slovakia - SlovakGrid | http://ups.savba.sk/ca/ | IGTF |
| e1fce4e9 | Fermilab KCA CA | https://computing.fnal.gov/security/pki/ | IGTF |
| e36e7a72 | Switzerland - SwissSign (Bronze) | http://swisssign.net/ | IGTF |
| e5cc84c2 | US - TACC Root | http://www.tacc.utexas.edu/CA/ | IGTF |
| e72045ce | SWITCH-QuoVadis-Grid-ICA | http://www.switch.ch/grid/certificates/ | IGTF |
| e8ac4b61 | NCSA GridShib CA | http://security.ncsa.uiuc.edu/CA/ | IGTF |
| e8d818e6 | BEGrid2008 | https://gridra.begrid.be/ | IGTF |
| e9d08b40 | Switzerland - SwissSign (Silver) | http://swisssign.net/ | IGTF |
| eebc7717 | SWITCH-Server-2007 | http://swisssign.net/ | IGTF |
| f2e89fe3 | USA - NCSA SLCS | http://security.ncsa.uiuc.edu/CA/ | IGTF |
| f5ead794 | PK-Grid-2007 | http://www.ncp.edu.pk/pk-grid-ca/ | IGTF |
| fe102e03 | Germany - DFN-GridGermany-Server | http://www.pca.dfn.de/ | IGTF |
| ff94d436 | Croatia - SRCE | http://ra.srce.hr/ | IGTF |