Scripts for certificate management

The following perl scripts are available as an alternative to the Web interface for requesting and renewing your FusionGrid id. These scripts assume that you want or have an X.509 certificate issued by the DOEGrids CA. If you want a certificate from the experimental FusionGrid CA click here.

The scripts assume that openssl and curl are available. Both these binaries come as part of Linux, FreeBSD and MacOSX distributions. opensssl comes as part of a Globus intallation at $GLOBUS_LOCATION/bin. curl can be downloaded from http://curl.haxx.se/. openssl can be downloaded from http://www.openssl.org/

Please report any difficulties using these scripts to Mary Thompson

tar file containing all the scripts

• requestUserCert
  

  
  usage is : 
         -name <name>         - user's full name
         -email <email>       - user's email
         -phone <phone>       - user's 10 digit phone number
         -sponsor <name>      - one of: Doug McCune, David Schissel, Martin Greenwald
         -password <filename> - optional file containing passphrase for private key
         -request <filename>  - optional certificate request
         -dir <name>          - optional directory in which to store the private key
                                          defaults to $HOME/.globus
         -debug               - spews lots of output to the terminal
         -help                - prints this message
  any omitted argruments will be prompted for
  

  This script generates a private key which it stores in $HOME/.globus/<processid>userkey.pem and a certificate request which it sends to the RA (Mary Thompson) to be signed. Once your sponsor has approved your request, the certificate is issued and a URL at which to retrieve the certificate is emailed back to you. This process ususally takes 1-2 working days. If it is taking longer than that please email your RA, Mary Thompson.

• request host certificate    conf file

  All the FusionGrid host and service certificates continue to be issued by the DOEGrids CA. Its interface consists of using a script with some configuration files to generate a certificate request (pkcs7) file which is then pasted into the Web interface at DOEGrids CA at the Grid or SSL server menu.

• retrieveCert
  

  
  usage is : 
         -certnum <num >     - certificate serial  number 
           OR - url <url>    - entire url that was mailed to you
         -dir <dirname>      - directory for the usercert and key, defaults $HOME/.globus
         -keyfile <filename> - keyfile for private key corresponding to this cert
         -prefix  <prefix>   - causes the key and cert files to be named <prefix>cert.pem
                                     and <prefix>key.pem rather than usercert.pem 
                                     and userkey.pem.
         -debug              - prints what it is doing
         -help               - prints this message
         any omitted argruments will be prompted for
  

  Once you have received mail that your certificate has been issued, use this script to retrieve it and store it in $HOME/.globus/usercert.pem. The corresponding key file will be renamed to $HOME/.globus/userkey.pem. Note that these names and directories can be set by the input parameters -dir and -prefix, but if you just want one certificate to be used by Globus, go with the defaults.

• renewUserCert
  

  
  usage is : 
         -email <email>  - the user's email address
         -phone <phone>  - the user's 10 digit phone number
         -passin <pass>  - file containing password for the currrent private key
                               if omitted, openssl will prompt for a passphrase
         -passout <pass> - file containing password for the new private key
                               if omitted, openssl will prompt for a passphrase
                               only used if the -newkey switch is given.
         -cert <name>    - filename of cert to be renewed
                               defaults to usercert.pem
         -key <name>     - name of keyfile for private key corresponding to this cert
                               defaults userkey.pem
         -dir <name>     - directory for the usercert and key
                               defaults to $HOME/.globus
         -prefix <name>  - causes the key and cert files to be named <prefix>cert.pem
                               and <prefix>key.pem rather than usercert.pem and userkey.pem.
         -newkey               - if given a  new key will be generated.
                               if omitted the current key will be used for the new cert
         -debug         - prints what it is doing
         -help          - prints this message
  

  This script by default replaces an existing usercert.pem, userkey.pem pair. You get the same name, the same key, and a new certificate that is valid immediately. The renewal is done automatically, so you get the new user certificate immediately. It is stored in $HOME/.globus/newusercert.pem. You must manually replace your current usercert.pem with the newusercert.pem.

• renewCert
  

  
  usage is : 
         -cert <name>   - filename of cert to be renewed
                              defaults to usercert.pem
         -key <name>    - name of keyfile for private key corresponding to this cert
                              defaults userkey.pem
         -dir <name>    - directory for the usercert and key
                              defaults to $HOME/.globus
         -prefix <name> - causes the key and cert files to be named <prefix>cert.pem
                             and <prefix>key.pem rather than usercert.pem and userkey.pem.
         -debug         - prints what it is doing
         -help          - prints this message
  

  This script by default renews an existing usercert.pem, userkey.pem pair. Unlike the renewUserCert script it can also be used to renew host certificates. You get the same name, the same key, and a new certificate that is valid AFTER the current one expires. The renewal is done automatically, so you get the new user certificate immediately. It is stored in $HOME/.globus/newusercert.pem since it will probably not be valid yet. You must replace your current usercert.pem with the newusercert.pem after the time the old one expires.

  If you wish to renew a host certificate, you can use the switches to select the host certificates. e.g.

  
         renewCert -prefix host -dir /etc/grid-security  
         OR
         renewCert -cert namecert.pem -key namekey.pem -dir hostdir
  

Home | The National Fusion Collaboratory Project Last modified Wednesday, 27-Jun-2007 10:22:58 PDT  Comments?