Monday, July 31, 2006

Today I want to document setting a CA for my Globus project

The following work was done on "titan":

[globus@titan globus-4.0.2]$ export GLOBUS_LOCATION=/usr/local/globus-4.0.2
[globus@titan globus-4.0.2]$ $GLOBUS_LOCATION/setup/globus/setup-simple-ca

WARNING: GPT_LOCATION not set, assuming:

C e r t i f i c a t e A u t h o r i t y S e t u p

This script will setup a Certificate Authority for signing Globus
users certificates. It will also generate a simple CA package
that can be distributed to the users of the CA.

The CA information about the certificates it distributes will
be kept in:


ERROR: It looks like a CA has already been setup at this location.
Do you want to overwrite this CA? (y/n) [n]:y

The unique subject name for this CA is:

cn=Globus Simple CA, ou=simpleCA-titan, ou=GlobusTest, o=Grid

Do you want to keep this as the CA subject (y/n) [y]:

Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA)

The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid. A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires. This can be done
by re-running this setup script. Enter the number of DAYS
the CA certificate should last before it expires.
[default: 5 years (1825 days)]:

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

creating CA config package...done.

A self-signed certificate has been generated
for the Certificate Authority with the subject:

/O=Grid/OU=GlobusTest/OU=simpleCA-titan/CN=Globus Simple CA

If this is invalid, rerun this script


and enter the appropriate fields.


The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem
The distribution package built for this CA is stored in


This file must be distributed to any host wishing to request
certificates from this CA.

CA setup complete.

The following commands will now be run to setup the security
configuration files for this CA:

$GLOBUS_LOCATION/sbin/gpt-build /home/globus/.globus/simpleCA//globus_simple_ca_89aac96f_setup-0.19.tar.gz


setup-ssl-utils: Configuring ssl-utils package
Running setup-ssl-utils-sh-scripts...


Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration


For further information on using the setup-gsi script, use the -help
option. The -default option sets this security configuration to be
the default, and -nonroot can be used on systems where root access is
not available.


setup-ssl-utils: Complete

[globus@titan globus-4.0.2]$

as root:

[root@titan root]# /usr/local/globus-4.0.2/setup/globus_simple_ca_89aac96f_setup/setup-gsi
setup-gsi: Configuring GSI security
Making /etc/grid-security...
mkdir /etc/grid-security
Making trusted certs directory: /etc/grid-security/certificates/
mkdir /etc/grid-security/certificates/
Installing /etc/grid-security/certificates//grid-security.conf.89aac96f...
Running grid-security-config...
Installing Globus CA certificate into trusted CA certificate directory...
Installing Globus CA signing policy into trusted CA certificate directory...
setup-gsi: Complete
[root@titan root]#