Note: This version of the VDT (1.8.1) is no longer supported. Feel free to look through the documentation and install it, but we cannot guarantee support for it. The current stable release is 2.0.0.

CA Certificates in the VDT

Table of Contents

• General Information
• Updating CA Certificates
  • With vdt-update-certs
    • Choosing a CA certificate distribution
  • With rpm
  • With pacman
• Removing a Certificate Authority from the distribution
• Custom Certificate Installation - installing in a non-standard location
• Change Log
• List of Certificate Authorities

General Information

The VDT team updates the VDT CA certificate package independently of the rest of the VDT. When updates are announced, follow the instructions below to get them.

To find out what VDT version you have:

$ vdt-version | head -1
You have installed a subset of VDT version 1.8.1a:

To find out what version of the VDT-distributed CA certificates you have:

$ vdt-version | grep -i certificates
    CA Certificates v52 (includes IGTF IGTF 1.32 CAs)

Updating CA Certificates

Using the automatic updater

The most reliable method to update the certificates is to use our automatic updater. It's been available since VDT 1.8.0. You know it is installed if $VDT_LOCATION/vdt/sbin/vdt-update-certs exists. If it is not installed, you can install it with:

$ pacman -get http://vdt.cs.wisc.edu/vdt_181_cache:CA-Certificates-Updater

If you installed as root, you can run it automatically via cron. It runs once per day, and your certificates will be kept up to date. You can also run it manually if you prefer. Just run:

$ cd $VDT_LOCATION
$ vdt/sbin/vdt-update-certs

Choosing a CA certificate distribution

As of September 11, 2008, the OSG GOC now maintains a CA certificate distribution recommended by the OSG Security Team. The VDT will continue to distribute the CA certificates as well, however, in the near future (exact date to be announced), the VDT will ship a convenience distribution of CA certificates which will be the set of IGTF-accredited CA certificates. (Please note that this means we will not be distributing the TeraGrid CAs or the Fermilab KCA anymore, just the IGTF-accredited CAs.) For VDT 1.8.1, the default is to use the VDT's distribution. If you wish to switch to the GOC distribution, you can make the a change in your vdt-update-certs configuration file to do so:

1. Edit $VDT_LOCATION/vdt/etc/vdt-update-certs.conf
   Insert the following line:

   cacerts_url = http://software.grid.iu.edu/pacman/cadist/ca-certs-version

2. Run vdt-update-certs to fetch the GOCs certificates.

   vdt-update-certs --force

More information on vdt-update-certs...

Using RPM

If you prefer to use an RPM, there is a single RPM containing all of the CA certificates distributed by the VDT. You can install the RPM manually or with yum. The certificates will be installed in /etc/grid-security/certificates. Please note two caveats if you install with RPM. First, you should tell the VDT not to install the CA certificates via Pacman. Second, vdt-version will not report the correct version of the installed certificates.

Installing the VDT CA Certificate RPM manually

# rpm -ivh http://vdt.cs.wisc.edu/vdt_rpms/vdt-ca-certs/vdt-ca-certs-52-1.noarch.rpm

If you wish to download older versions of the RPM, you can find them here.

Direct link to vdt-ca-certs-52-1.noarch.rpm (The latest version)

Installing the VDT CA Certificates with YUM

1. Tell yum about the VDT CA Certificate repository by adding a file named /etc/yum.repos.d/vdt-ca-certs.repo. Download vdt-ca-certs.repo
2. Install the CA Certificates:

   yum install vdt-ca-certs
   

3. Update the CA Certificates (if they are already installed):

   yum update vdt-ca-certs
   

Note that YUM can do automatic updates. One some RedHat variants, you can install a yum-cron package, which makes a cron job in /etc/cron.daily to update YUM packages automatically.

Using Pacman

If for some reason you do not with to use the automatic updater, you can use Pacman. In our experience, this method almost always works, but has occasional failures.

$ cd $VDT_LOCATION
$ pacman -update CA-Certificates
About to begin uninstalling [...:CA-Certificates]...
...
Package [...:CA-Certificates] successfully installed...

Removing a Certificate Authority

If you do not trust a Certificate Authority, and would like to remove it from the distribution, follow these steps:

1. Determine the hash of the CA you would like to remove. For the example below we will assume the hash is "12345678"
2. Find the files associated with that hash

   # ls $VDT_LOCATION/globus/TRUSTED_CA/12345678.*
   12345678.0
   12345678.crl_url
   12345678.info
   12345678.namespaces
   12345678.r0
   12345678.signing_policy
   

3. Edit $VDT_LOCATION/vdt/etc/vdt-update-certs.conf, and add these files to the exclude section. This will automatically remove these files anytime vdt-update-certs installs a new certificate distribution.

   exclude=12345678.0
   exclude=12345678.crl_url
   exclude=12345678.info
   exclude=12345678.namespaces
   exclude=12345678.r0
   exclude=12345678.signing_policy
   

4. Remove these files from the current distribution.

   rm $VDT_LOCATION/globus/TRUSTED_CA/12345678.*
   

Custom installation

At install time, you have the choice to install your certificates into the "root" location (/etc/grid-security), or the "local" location, ($VDT_LOCATION/globus/share). If you would like to install your certificates into a custom location, for example, in order to put them on a shared filesystem, you can do the following setup:

1. Install the certificates locally. This will install them to $VDT_LOCATION/globus/share
2. Create a directory in your shared filesystem to hold the certificates. Assume your desired location is, for example, /nfs/ca-certs.
3. Move the certificates from $VDT_LOCATION/globus/share to /nfs/ca-certs

   cd $VDT_LOCATION/globus/share
   mv certificates-52-1 /nfs/ca-certs/
   rm certificates
   cd /nfs/ca-certs
   ln -s /nfs/ca-certs/certificates-52-1 certificates
   

4. Update the $VDT_LOCATION/globus/TRUSTED_CA link:

   cd $VDT_LOCATION/globus
   rm TRUSTED_CA
   ln -s /nfs/ca-certs/certificates TRUSTED_CA
   

Change Log

Curious about what has changed in each CA certificate release?

CA certificate change log

CAs in CA-Certificates v52 (IGTF 1.32 and TeraGrid)

View the contents of a different release: v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16 v17 v18 v19 v20 v21 v23 v24 v25 v26 v27 v28 v29 v30 v31 v32 v33 v34 v35 v36 v37 v38 v39 v40 v41 v42 v43 v44 v45 v46 v47 v48 v49 v50 v51 v52

Hash	Description	Contact	Source
09ff08b7	CNRS-Projets	http://igc.services.cnrs.fr/GRID-FR/	IGTF
0a12b607	UGrid - Ukraine	https://ca.ugrid.org/	IGTF
0a2bac92	Brazil - BrGrid	https://brgridca.ic.uff.br/	IGTF
1149214e	Germany - DFN-GridGermany-Root	http://www.pca.dfn.de/	IGTF
11b4a5a2	Portugal - LIPCA	http://ca.lip.pt/	IGTF
12a1d8c2	France - GRID-FR	http://igc.services.cnrs.fr/GRID-FR/	IGTF
163af95c	CNRS2	http://igc.services.cnrs.fr/GRID-FR/	IGTF
1691b9ba	Turkey - TRGrid	http://www.grid.org.tr/ca/	IGTF
16da7552	The Netherlands - NIKHEF	http://certificate.nikhef.nl/	IGTF
1c3f2ca8	USA - DOE Grids	http://www.doegrids.org/	IGTF
1d879c6c	CERN-TCA	http://www.cern.ch/ca	IGTF
1e12d831	APAC	http://www.vpac.org/twiki/bin/view/APACgrid/CaInterface	IGTF
1e43b9cc	Ireland - Grid-Ireland	http://www.cs.tcd.ie/grid-ireland/gi-ca/	IGTF
1f0e8352	Nordic countries - NorduGrid	http://hep.nbi.dk/CA/	IGTF
1f3834d0	RomanianGRID - Romania	http://www.romaniangrid.ro	IGTF
2418a3f3	BG-ACAD (Bulgarian Academic CA)	http://www.ca.acad.bg/	IGTF
24c3ccde	UNAM Grid - Mexico	http://ca.unamgrid.unam.mx/	IGTF
28a58577	Greece - HellasGrid (Root 2006)	http://www.grid.auth.gr/pki/hellasgrid-root-ca-2006/	IGTF
295adc19	Chile - REUNA CA	http://reuna-ca.reuna.cl/	IGTF
2a237f16	Baltic States - Baltic Grid CA	http://ca.balticgrid.org/	IGTF
2ac09305	TACC MICS	http://www.tacc.utexas.edu/CA/	IGTF
2f3fadf6	INFN	http://security.fi.infn.it/CA/	IGTF
304cf809	SWITCHslcs	http://www.switch.ch/pki/grid	IGTF
3232b9bc	MREN - Montenegro	http://mren-ca.ac.me/	IGTF
34a509c3	France - CNRS-Projets	http://igc.services.cnrs.fr/	IGTF
367b75c3	UK eScience CA 2007	http://www.grid-support.ac.uk/ca/	IGTF
393f7863	Serbia - AEGIS	http://aegis-ca.rcub.bg.ac.yu/	IGTF
3d5be7bc	Slovenia - SiGNET CA	http://signet-ca.ijs.si/	IGTF
3f0f4285	Venezuela - ULAGrid CA	http://ra.cecalc.ula.ve	IGTF
71a89a47	NCHC	http://ca.goc.nchc.org.tw/	IGTF
468d15b3	Balkans - SeeGrid	http://www.grid.auth.gr/pki/seegrid-ca/	IGTF
4798da47	HKU	http://ca.grid.hku.hk/	IGTF
55994d72	Russia - RDIG	http://ca.grid.kiae.ru/RDIG/	IGTF
5cf9d536	QuoVadis-Root-CA1	http://www.switch.ch/pki/	IGTF
617ff41b	Japan - KEK	https://gridca.kek.jp/	IGTF
684261aa	US - TACC Root	http://www.tacc.utexas.edu/CA/	IGTF
6e3b436b	Austria - AustrianGrid	https://ca.austriangridca.at/	IGTF
6fee79b0	Israel - IUCC	http://certificate.iucc.ac.il/	IGTF
709bed08	BYGCA	http://ca.grid.by/	IGTF
722e5071	Korea - KISTI 2007	http://ca.gridcenter.or.kr/	IGTF
742edd45	Latvia - LatGrid	http://grid.lumii.lv/?lang=en	IGTF
7721d4d3	PRAGMA-UCSD	http://goc.pragma-grid.net/ca/	IGTF
7b54708e	Morocco: MAGrid CA	http://www.magrid.ma/ca	IGTF
7d0d064a	MARGI - Macedonia	http://www.margi-ca.marnet.net.mk	IGTF
82b36fca	Greece - HellasGrid (2006)	http://www.grid.auth.gr/pki/hellasgrid-root-ca-2006/	IGTF
8a047de1	NECTEC GOC	http://gridca.hpcc.nectec.or.th/	IGTF
8a661490	Poland - PolishGrid	http://www.man.poznan.pl/plgrid-ca/	IGTF
98ef0ee5	UK eScience Root CA 2007	http://www.grid-support.ac.uk/ca/	IGTF
9b59ecad	Czech Republic - CESNET	http://www.cesnet.cz/pki/	IGTF
9b95bbf2	USA - NCSA MICS	http://security.ncsa.uiuc.edu/CA/	IGTF
9cd75e87	Academia Sinica Grid CA 2007	http://ca.grid.sinica.edu.tw/	IGTF
9dd23746	pkIRISGRID	http://www.irisgrid.es/pki/	IGTF
9ff26ea4	MD-Grid	http://ca.grid.md/	IGTF
a02131f7	DFN-SLCS	http://www.pki.dfn.de/index.php?id=slcs	IGTF
a317c467	Japan - AIST	https://www.apgrid.org/CA/AIST/Production/	IGTF
a87d9192	Japan - NAREGI	https://www.naregi.org/ca/	IGTF
a9082267	Latin American and Caribbean Catch-all Grid CA	http://lacgridca.ic.uff.br/	IGTF
afe55e66	Cyprus - CyGrid	http://grid.ucy.ac.cy/CyGridCA/	IGTF
b2771d44	China - CNIC Grid CA	http://ca.grid.cn/en/	IGTF
b7bcb7b2	Argentina - UNPL Grid CA	https://www.pkigrid.unlp.edu.ar/	IGTF
ba2f39ca	China - IHEP	https://gridca.ihep.ac.cn/	IGTF
b93d6240	NERSC SLCS CA	http://certs.nersc.gov/	IGTF
bffbd7d0	GridCanada	http://www.gridcanada.ca/ca	IGTF
ce33db76	IRAN-GRID	http://cagrid.ipm.ac.ir/	IGTF
c48c63f3	China - CNIC SDG CA	http://ca.sdg.grid.cn/en/	IGTF
cc800af0	Hungary - NIIF	http://www.ca.niif.hu/	IGTF
cf4ba8c8	France - CNRS (EDG Catch-all CA)	http://igc.services.cnrs.fr/	IGTF
d0c2a341	Armenia - ArmeSFo	http://www.escience.am/ca/	IGTF
d0b701c0	SWITCHGrid Root	http://www.switch.ch/pki/grid	IGTF
d11f973e	CNRS2-Grid-FR	http://igc.services.cnrs.fr/GRID-FR/	IGTF
d1737728	NGO-Netrust	http://netrustconnector.netrust.net/	IGTF
d1b603c3	US - ESnet Root	http://www.doegrids.org/	IGTF
d254cc30	CERN-ROOT	http://www.cern.ch/ca	IGTF
da75f6a8	Indian Grid CA	http://ca.garudaindia.in/	IGTF
dd4b34ea	Germany - GermanGrid	http://grid.fzk.de/	IGTF
e13e0fcf	Slovakia - SlovakGrid	http://ups.savba.sk/ca/	IGTF
e1fce4e9	Fermilab KCA CA	https://computing.fnal.gov/security/pki/	IGTF
e5cc84c2	US - TACC Root	http://www.tacc.utexas.edu/CA/	IGTF
e72045ce	SWITCH-QuoVadis-Grid-ICA	http://www.switch.ch/grid/certificates/	IGTF
e8ac4b61	NCSA GridShib CA	http://security.ncsa.uiuc.edu/CA/	IGTF
e8d818e6	BEGrid2008	https://gridra.begrid.be/	IGTF
f2e89fe3	USA - NCSA SLCS	http://security.ncsa.uiuc.edu/CA/	IGTF
f5ead794	PK-Grid-2007	http://www.ncp.edu.pk/pk-grid-ca/	IGTF
ff94d436	Croatia - SRCE	http://ra.srce.hr/	IGTF