Host Certificates#
Hosts which run grid services (such as CEs, SEs, gridftp servers) need
to have an X509 grid certificate in /etc/grid-security. Some
services just use the host certificate
/etc/grid-security/hostcert.*. Some use a copy of the host
certificate in a subdirectory of /etc/grid-security (to make it
readable by that service). Some may use a separate service
certificate in a subdirectory.#
Installation#
Puppet installs certificates from /etc/puppet/modules/certs/files.#
Creating Host Certificates#
To create a host certificate, you must first be authorized as a CMS (or
GLOW) VO GridAdmin in the OSG Registration Authority. To get authorized, login [here]
and click Request for GridAdmin Enrollment.#
osg-gridadmin-cert-request -H g25n01.hep.wisc.edu -v CMS
osg-gridadmin-cert-request -H g25n01.hep.wisc.edu -v GLOW
For a group of systems, the -f option can be used to specify a file containing a list of hosts.#
This command will create two files for each certificate, a private key
and a public key. Move these files into
/etc/puppet/modules/certs/files using destination filenames that
match the naming scheme used for existing cases. Do not leave copies
of the private keys lying around in public AFS directories.#
Running puppeteer hostname will push the new certificate to the
host. Some services need to be restarted after the certificate is
updated.#
Checking Host Certificate Expiration#
Icinga checks for expiring certificates. To see expired certificates,
go to https://icinga.hep.wisc.edu and click on Unhandled problems
under Critical Services and look for Certificate expiration in the
Service column.#
To see certificates that are in danger of expiring, click on N Warning
under Services, sort the Services column and look for Certificate
Expiration in a Warning state.#
To manually examine a certificate, including its expiration time, the following command can be used#
openssl x509 -text -noout -in /etc/grid-security/hostcert.pem