CAs for GridX1This page documents the procedure that some GridX1 sites use to update Grid Certifcation Authority certificates. The procedure that TRIUMF uses to generate these files, and the procedure that GridX1 sites should follow are noted.
When a new batch of RPMs for Certification Authorities is announced, the RPMs will normally appear in the APT/YUM mirrors at CERN. For TRIUMF any new RPMs are mirrored on shrugged daily via cron. The RPM set must be manually pushed by 'trteam' to the gridadm mirror (see the description of the TRIUMF mirror) by running:
$ cd /ks/mirror/
$ make do-sync-lcg_ca
The sysadmin logs into gridadm to first test that there are no errors when updating the RPMs:
# yum update lcg-CA/blockquote>Then the RPMs are pushed to all nodes from gridadm by pushing the command in a script or from a command-line loop:
yum -y update lcg-CAAt the same time a tarball of the new certs is created. The 'trteam' user should run the command:
~/bin/makeGridX1CertsThis creates a tarball in the mirror on gridadm named:
/ks/mirror/GridX1/LCG-Certificates-VER.tgzwhere 'VER' is the major version number taken from the RPM tag.
Finally this file needs to be added and linked in this page below, by adding it as an asset, linking it and publishing this page.
GridX1 ProcedureGridX1 managers can pick up the latest tarball here:
MD5 sum 11/06/2008
19/03/2008 LCG-Certificates-1.20.tgz d6ccbc739e4ae7fbe5737d5086d29f7b 05/02/2008 LCG-Certificates-1.19.tgz 8ed6da617dc81cb8f073e2b28e25b1eb
10/10/2007 LCG-Certificates-1.17.tgz baf286e3ad607741afd79445c6c894b3 13/08/2007 LCG-Certificates-1.16.tgz
53bb62b7603493ff42df36f47b35d056 07/06/2007 LCG-Certificates-1.14.tgz 7ddfdda93ec769c6872ae64d6200fed5
14/03/2007 LCG-Certificates-1.13.tgz 40cb015da10ce97420cae0f53a8fe57f 12/02/2007 LCG-Certificates-1.12.tgz
12/01/2007 LCG-Certificates-1.11.tgz 0f49e943622c663c5529c899c1bc7c66 20/10/2006
26/07/2006 LCG-Certificates-1.7.tgz 150588c240d3be67b58c06c15156fce4
23/06/2006 LCG-Certificates-1.6.tgz 79c330979f1fe52e444aefbf18c0ed18
23/05/2006 LCG-Certificates-1.4.tgz 17147b4a0a7d3ecc5a62ab7187b62683 27/04/2006 LCG-Certificates-1.04.tgz 3e47e4aa14e58b17f7c882fb06c1705c 02/03/2006 LCG-Certificates-1.01.tgz 0870b999b226832d5c150de9d982ddb0 07/11/2005 LCG-Certificates-1.00.tgz d617078430e7019727d28a4935a7ec23 09/09/2005
LCG-Certificates-0.32.tgz 848adda0a732f4edf13f351f2b50ec13 18/07/2005 LCG-Certificates-0.31.tgz dc23be130c2fa4ff1e1287c4b534ddea 19/05/2005 LCG-Certificates-0.29.tgz 81523aa054077d03989a1ec5f57ff714
The general procedure to use is as follows:
- download only the latest version from the table above and save it.
- cd $X509_CERT_DIR
- cd ..
- ext=`date +%Y_%m_%d`
- mv certificates certificates.$ext
- tar -zxf /path/to/LCG-Certificates-0.31.tgz
- Immediately update the crl's because the tarball will contain stale ones. edg-fetch-crl must be relocated outside the certificates directory so we don`t keep removing it.