Updating Certificates


o Updating host certificate

  Issuer: /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
  Subject: /DC=org/DC=doegrids/OU=Services/CN=cert.fusiongrid.org

  /home/fgcm/hostkey.pem
  /home/fgcm/hostcert.pem

  root@pppl.gov will get email when due to expire with subject
  "The certificate for cert.fusiongrid.org will expire in 29 days"

  To renew, https://pki1.doegrids.org/ca/ and click on
  "Grid or SSL Server".  Cut and paste from contents of
  /home/fgcm/hostcert_request.pem
  Note: If GridAdmin Agent, can use GridAdmin Interface

  Must restart httpd
    /sbin/service httpd restart

  To test.
    - Connect to http://cert.fusiongrid.org
    - use myproxy-get-delegation to get a new proxy 

o Updating key and certificate used to update
  new users on roam.fusiongrid.org

  Issuer: DC=org, DC=fusiongrid, OU=Certificate Authorities, CN=FusionGrid CA
  Subject: DC=org, DC=fusiongrid, OU=People, CN=FusionGrid Certificate Manager 17184
  /var/www/Users/fgcm_key.pem
  /var/www/Users/fgcm_cert.pem

  Renewal message should be sent to lranderson@pppl.gov.
  Can by updated by browser with fgcm certificate.
  Then update /var/www/Users/fgcm_cert.pem 

o If above certificate is allowed to expire

  Error message will be:
  Sent to:
    lranderson@pppl.gov
  Subject of message:
   Cron  cd /var/www/cgi-bin ; /usr/bin/python loadCert.py
  Error in message:
   socket.sslerror: SSL_CTX_use_PrivateKey_file error
  
  Must create new certificate.
  Must be fusiongrid privileged!!!
  (Will have to notify tfredian@psfc.mit.edu with new name.)  

  This shows the issuer
  # On blackbird.pppl.gov as user "fgcm"
  grid-cert-info -subject -issuer -f /var/www/Users/fgcm_cert.pem
  /DC=org/DC=fusiongrid/OU=People/CN=FusionGrid Certificate Manager 17184
  /DC=org/DC=fusiongrid/OU=Certificate Authorities/CN=FusionGrid CA

  1) Apply for a "FusionGrid Certificate Manager" through
     http://fluorite.es.net:9001 using a browser.
     Click on "New User"
  2) Get the request through membership in the
     FusionGridRA@.pppl.gov mailing list and
     approve the request.
  3) Download the certificate to my browser and
     then export the certificate from browser
     Copy to a linux system. Then make keys
     openssl pkcs12 -in fgcm_17184.pfx -clcerts -nokeys -out fgcm_cert.pem
     openssl pkcs12 -in fgcm_17184.pfx -nocerts -out fgcm_key.pem
     One more step to get an unencyrpted private key for a server.
     openssl rsa -in fgcm_key.pem -out fgcm_unencrypted_key.pem
   4) On blackbird as root
      Backup /var/www/Users/fgcm_cert.pem and
             /var/www/Users/fgcm_key.pem
             /var/www/Users/fgcm_encrypted_key.pem
             /var/www/Users/fgcm_unencrypted_key.pem
      Copy new files to /var/www/Users/*.pem.new
      and then update files.
   5) Notify tfredian@psfc.mit.edu with new name
   6) Verify cert.fusiongrid.org can enter user information