Maintaining a CA Certificate Distribution

This page contains instructions to help you maintain your own certificate authority certificates distribution. This is not necessary for installing the VDT. You can use the convenience IGTF distribution of certificates supplied by the VDT, or the distribution from the OSG Security Team (LINK TO THIS?) if you are a member of OSG. For more information, see this page.

• Getting started
• Releasing the certificates
• Using vdt-update-certs with your distribution

Getting Started

1. Fetch the certificate distribution scripts from the VDT. They are located here. The contents of the directory are as follows:

   certificates	Contains the CA certificates that will be distributed. You can download these or use your own.
   defs	File that contains version and path information.
   make-manifest	Script to generate the manifest for vdt-update-certs.
   process-igtf-distribution.pl	No documentation for this script is available, but if you are using subversion or another versioning system, you might find it useful for creating new certificate distributions.
   validate_index.pl	A script to validate the INDEX.txt file in the certificates directory.
   vdt-scripts	Contains VDT specific scripts that you do not need to use.

2. Update the path and version information in the defs file. At a minimum, you will need to change the ROOT and the WEB_PATH. However, you might want to change the starting version number for your certificates as well. Pay attention to the TARBALL_PATH, this is where you will need to place your certificates tarball.

   ROOT	The root location in your filesystem, e.g., /p/vdt/public/html
   WEB_PATH	The URL of the tarball file, e.g., http://vdt.cs.wisc.edu/software/certificates/$(TARBALL_NAME)
   OUR_CERTS_MAJOR_VERSION	The major version number; version will appear as MAJOR-MINOR
   OUR_CERTS_MINOR_VERSION	The minor version number; e.g., if MAJOR is 40 and MINOR is 2, the version will be 40-2
   IGTF_CERTS_VERSION	This might not be applicable for your distribution, so it can be removed or commented out
   CERTS_DESCRIPTION	The description that will appear when vdt-version is run
   CERTS_DIR	The location you will store certificates, e.g., $(ROOT)/software/certificates
   TARBALL_NAME	The name of your tarball, e.g., certificates-$(OUR_CERTS_MAJOR_VERSION)-$(OUR_CERTS_MINOR_VERSION).tar.gz
   TARBALL_PATH	The local location where the tarball will be stored; e.g., $(CERTS_DIR)/$(OUR_CERTS_MAJOR_VERSION)/$(TARBALL_NAME)

3. Please let the VDT know that you are maintaining your own CA certificate distribution, and feel free to give us feedback on the process.

Releasing the Certificates

1. Put the certificates you want to distribute in the certificates directory.
2. Update the INDEX.txt file in the certificates directory. Don’t miss the version number at the bottom of the file.
3. Verify the contents of the INDEX.txt file by running validate_index.pl.
4. Update the CHANGES file in the certificates directory as appropriate.
5. Update the defs file to reflect a new CA certificates version.
6. Create a tarball in the TARBALL_PATH location defined in your defs file. The tarball must contain exactly one directory which contains all the certificates, and that directory must be named certificates.

   tar czf TARBALL_PATH `find certificates ! -name \\*~ ! -name .#\\* ! -type d | grep -v '\.svn'`

7. Run the make-manifest command to generate the manifest. This script will not work until the tarball is in place, because it needs to calculate the md5sum of the tarball.
8. Do a quick installation to check everything. To check the manifest file and certificates tarball, force an update using vdt-update-certs --force from a test installation.

Using vdt-update-certs with your distribution

• Edit the $VDT_LOCATION/vdt/etc/vdt-update-certs.conf file. The cacerts_url variable should point at the URL of your manifest file.
• Run vdt-update-certs --force to force an update from that URL

More information

vdt-update-certs man page