Skip to content

ESGF Globus Simple CA Creation

ncaripsl edited this page Nov 12, 2014 · 6 revisions

Execute source /etc/esg.env /usr/local/globus/setup/globus/setup-simple-ca

Define a unique subject (ex: CN=Globus Simple CA, OU=simpleCA-esgf-node.ipsl.fr, OU=GlobusTest, O=Grid)

 The unique subject name for this CA is:
 cn=Globus Simple CA, ou=simpleCA-esgf-node.ipsl.fr, ou=GlobusTest, o=Grid

 Do you want to keep this as the CA subject (y/n) [y]:

Define email address

  Enter the email of the CA (this is the email where certificate requests will be sent to be
  signed by the CA): admin@my_org.my_domain.

Define CA expiration

 The CA certificate has an expiration date. Keep in mind that once the CA certificate has expired,
 all the certificates signed by that CA become invalid.  A CA should regenerate the CA certificate
 and start re-issuing ca-setup packages before the actual CA certificate expires.  This can be
 done by re-running this setup script.  Enter the number of DAYS the CA certificate should last
 before it expires.[default: 5 years (1825 days)]:

Configure passphrase

 Generating a 1024 bit RSA private key
 ........++++++
 ................++++++
 writing new private key to '/home/globus/.globus/simpleCA//private/cakey.pem'
 Enter PEM pass phrase:

Confirm

 A self-signed certificate has been generated 
 for the Certificate Authority with the subject: 
            
 /O=Grid/OU=GlobusTest/OU=esgf-node.ipsl.fr/CN=Globus Simple CA
            
 If this is invalid, rerun this script 
            
 setup/globus/setup-simple-ca
            
 and enter the appropriate fields.
            
 -------------------------------------------------------------------
            
 The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cak ey.pem
 The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem
            
 The distribution package built for this CA is stored in
            
 /home/globus/.globus/simpleCA//globus_simple_ca_68ea3306_setup-0.17.tar.gz

Result

 ***************************************************************************
            
 Note: To complete setup of the GSI software you need to run the
 following script as root to configure your security configuration
 directory:
            
 /opt/gt4/setup/globus_simple_ca_68ea3306_setup/setup-gsi
            
 For further information on using the setup-gsi script, use the -help
 option.  The -default option sets this security configuration to be 
 the default, and -nonroot can be used on systems where root access is 
 not available.
            
 ***************************************************************************
            
 setup-ssl-utils: Complete

Execute

 /usr/local/globus/setup/globus_simple_ca_<certhash>_setup/setup-gsi

Result

 setup-gsi: Configuring GSI security
 Installing /etc/grid-security/certificates//grid-security.conf.CA_Hash...
 Running grid-security-config...
 Installing Globus CA certificate into trusted CA certificate directory...
 Installing Globus CA signing policy into trusted CA certificate directory...
 setup-gsi: Complete

Check freshly created CA Cert

 openssl x509 -text -in /root/.globus/simpleCA/cacert.pem