[Go-essp-tech] Call for CA and OpenID Trust root Certificates
Estanislao Gonzalez
estanislao.gonzalez at zmaw.de
Thu Sep 9 07:35:27 MDT 2010
Hi all,
I see the trusted certificates are quiet old. I've already changed them
as requested so that the naming scheme would be more ESG-conform, but
the certificates are still the older ones.
Would it be possible to upload the certificates somewhere? maybe a pub ftp?
That way we could just upload the certificates if the were changed. We
could later on delete the ones we don't require.
Thanks,
Estani
stephen.pascoe at stfc.ac.uk wrote:
>
> Hi Neil,
>
> Updating our trustroots using your wiki page below I notice that the
> esg-truststore.ks file is missing 2 of our certificates that are in the
> tarball esg_trusted_certificates-08-24-2010.tar.gz. These are
> cf22df3a.0 and ece35fd4.0
>
> I can guess how this happened. Phil provided PEM files containing both
> the certificate text and BEGIN CERTIFICATE sections. I've noticed
> keytool fails unless PEM files only contain the BEGIN CERTIFICATE block.
>
> Those using esg-truststore.ks need to import the certificates into the
> keystore in order for it to work with BADC. One possible recipe is:
>
> $ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/cf22df3a.0
>
>> cf22df3a_bare.0
>>
> $ keytool -import -keystore esg-truststore.ts -alias cf22df3a -file
> cf22df3a_bare.0
> $ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/ece35fd4.0
>
>> ece35fd4_bare.0
>>
> $ keytool -import -keystore esg-truststore.ts -alias ece35fd4 -file
> ece35fd4_bare.0
>
> I hope this can be reflected in esg-truststore.ks soon.
>
> Cheers,
> Stephen.
>
> ---
> Stephen Pascoe +44 (0)1235 445980
> British Atmospheric Data Centre
> Rutherford Appleton Laboratory
>
> -----Original Message-----
> From: go-essp-tech-bounces at ucar.edu
> [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of neillm at mcs.anl.gov
> Sent: 17 August 2010 22:42
> To: go-essp-tech at ucar.edu
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
> Certificates
>
> Hello,
>
> According to the document here:
>
> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRo
> ots
>
> PCMDI, NCAR and ORNL still need to update their DNs to something more
> official. This is a CMIP5 blocker as far as I know.
>
> -Neill.
>
> ----- Original Message -----
> From: "Neill Miller" <neillm at mcs.anl.gov>
> To: go-essp-tech at ucar.edu
> Sent: Wednesday, August 11, 2010 11:30:30 AM GMT -06:00 US/Canada
> Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
> Certificates
>
> Hello,
>
> Has anyone made any progress on generating new CA certificates without
> default simpleCA DNs? Someone has already sent me new certificates for
> their site, so aside from that of course. Please let me know, or send
> me updated certs and I'll get them online as soon as I can.
>
> thanks,
> -Neill.
>
> ----- Original Message -----
> From: "Neill Miller" <neillm at mcs.anl.gov>
> To: asim at lbl.gov
> Cc: go-essp-tech at ucar.edu
> Sent: Friday, August 6, 2010 11:24:04 AM GMT -06:00 US/Canada Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
> Certificates
>
> Hello Alex,
>
> It's a good thing to bring up actually. Each gateway that runs a CA
> gets to more or less specify their DN to be anything they want. Going
> forward, it's important to name them something more appropriate. I
> agree that it doesn't look good to have GlobusTest in the DN as well (as
> we've discussed this before), so there are at least 2 options to
> consider here:
>
> 1) Allow everyone to get their gateway working as it is now (since it's
> not a functional thing, but a perception/cosmetic issue), or
> 2) Request that everyone start over with their CAs in order to fix the
> DN*.
>
> Maybe Gavin (actually, Eric if I'm following correctly) could describe
> how this step is done and whether or not it's automated away? If it's
> automated and hidden from the user in the script, it's likely even
> starting over won't change anything for most people.
>
> *This is something that can be done without replacing the entire gateway
> stack. As a matter of fact, it's just a couple commands and then
> tracking the proper certificates from there. If this second option is
> chosen, I can document what each Gateway needs to do in order to remedy
> the situation.
>
> But I'd still like to know how this is done at the Gateway install time
> so that any NEW gateway installs won't have to do anything special and
> will have more valid looking (default) DNs.
>
> Sound reasonable?
>
> -Neill.
>
> ----- Original Message -----
> From: "Alex Sim" <asim at lbl.gov>
> To: neillm at mcs.anl.gov
> Cc: go-essp-tech at ucar.edu
> Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
> Certificates
>
> I hate to bring this up again, but the DN format has to work out
> without GlobusTest in it.
>
> -- Alex
>
>
> On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
>
>> Hello,
>>
>> Thanks to everyone that has submitted their certificate information!
>>
> At the moment, I have a list of MyProxy and OpenID trusted certificates
> listed here:
>
>> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrust
>> Roots
>>
>> While this page is obviously not complete, please verify that the
>>
> certificates that you've sent appear in the listings. I'd like to know
> roughly how many more I should be expecting before moving on to fill in
> the other details as well, so if you know you haven't sent yours in yet,
> please let me know (off-list is fine).
>
>> thanks,
>> -Neill.
>>
>> ----- Original Message -----
>> From: neillm at mcs.anl.gov
>> To: go-essp-tech at ucar.edu
>> Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada Central
>> Subject: [Go-essp-tech] Call for CA and OpenID Trust root Certificates
>>
>> Hello,
>>
>> As discussed on the call just now, I need all OpenID trust root
>>
> certificates in addition to the hostname of the machine.
>
>> For anyone that has already submitted theirs (i.e. Luca, Phil), if
>>
> there are helpful commands that you can share with others, please do so
> in follow-up to this.
>
>> A helpful page that shows commands for working with your java
>>
> key/trust store is here:
>
>> http://www.sslshopper.com/article-most-common-java-keytool-keystore-co
>> mmands.html
>>
>> I also need everyone managing a MyProxy CA to send me their CA
>>
> certificates. If you're running a MyProxy CA, there are 2 simple ways
> to find out which certs are needed (please pick one, not both):
>
>> 1) Login to the MyProxy CA host and run "ls -al ~/.globus/simpleCA/"
>>
> as the user that runs the CA.
>
>> In this listing, you'll see a file called
>>
> "globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a hash
> of the CA certificate. Please send the files
> /etc/grid-security/certificates/XXXXXXXX.0 and
> /etc/grid-security/certificates/XXXXXXXX.signing_policy as well as the
> hostname of the CA machine.
>
>> 2) Another method of finding which cert to send is to run the
>>
> "grid-default-ca" program:
>
>> --------------------------------------------------------------------
>> $GLOBUS_LOCATION/bin/grid-default-ca
>>
>> The available CA configurations installed on this host are:
>>
>> Directory: /etc/grid-security/certificates
>>
>> 1) 0ba75d15 -
>> /O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=Globus
>>
>
>
>> Simple CA
>> 2) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate
>> Authorities/CN=DOEGrids CA 1
>> 3) 3de8c5e9 -
>> /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-67.ci.uchicago.edu/CN=Globus
>> Simple CA
>> 4) 519bfbae -
>> /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=Globus
>> Simple CA
>> 5) 6349a761 - /O=DOE Science Grid/OU=Certificate
>> Authorities/CN=Certificate Manager
>> 6) 9388e5cb -
>> /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=Globus Simple CA
>> 7) 9d8753eb - /DC=net/DC=es/OU=Certificate Authorities/OU=DOE Science
>>
>
>
>> Grid/CN=pki1
>> 8) d1b603c3 - /DC=net/DC=ES/O=ESnet/OU=Certificate
>> Authorities/CN=ESnet Root CA 1
>> 9) ecdb249f -
>> /O=Grid/OU=GlobusTest/OU=simpleCA-esgdev.ci.uchicago.edu/CN=Globus
>> Simple CA
>>
>>
>> The default CA is:
>>
> /O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=Globus
> Simple CA
>
>> Location: /etc/grid-security/certificates/0ba75d15.0
>>
>> Enter the index number of the CA to set as the default [q to quit]
>> --------------------------------------------------------------------
>>
>> To avoid changing anything, press "q" to quit.
>>
>> Near the bottom, we are told which CA is currently our default.
>>
> Please send the file located at the listed "Location" in addition to the
> XXXXXXXX.signing_policy file located in the same directory. Please also
> send the DN listed with that file and the hostname of the CA machine.
>
>> IMPORTANT: For the MyProxy CA certificates, I need both the ".0" AND
>>
> the ".signing_policy" files together. Please also send the machine's
> hostname.
>
>> -Neill.
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>
>>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
--
Estanislao Gonzalez
Max-Planck-Institut für Meteorologie (MPI-M)
Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
Phone: +49 (40) 46 00 94-126
E-Mail: estanislao.gonzalez at zmaw.de
More information about the GO-ESSP-TECH
mailing list