<!-- keep this as a security measure: #uncomment if the subject should only be modifiable by the listed groups # * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup,Main.CMSAdminGroup # * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup,Main.CMSAdminGroup #uncomment this if you want the page only be viewable by the listed groups # * Set ALLOWTOPICVIEW = Main.TWikiAdminGroup,Main.CMSAdminGroup,Main.CMSAdminReaderGroup --> ---+ Grid Host Certificate instruction * *T3 Admin access registration* on [[https://tl.quovadisglobal.com/subscriber][ Certification Service Provider QuoVadis]]: * done for the following common T3 address cms-tier3-alerts@lists.psi.ch * responsible T3 Admin has update the name and phone by !UniBe contact person Alexander Kashev <alexander.kashev@math.unibe.ch> * Check if hostname is publicly resolvable. When not, create a Change Task within SNOW and assign it to itsm-network. * Prepare certificate request =hostname.psi.ch-csr.pem= from =t3admin02:/root/clusteradmin/etc/grid-ca= <pre> tree -P 't3*' clusteradmin/etc/grid-ca clusteradmin/etc/grid-ca |-- certs-2020 | |-- t3cmsvobox_psi_ch.crt | |-- t3dcachedb03_psi_ch.crt | `-- t3se01_psi_ch.crt |-- keys | |-- t3cmsvobox.psi.ch-key.pem | |-- t3dcachedb03.psi.ch-key.pem | `-- t3se01.psi.ch-key.pem `-- requestdir |-- ............................ </pre> by the command like: <pre> # ./create_keys.sh t3se01.psi.ch Using existing key /root/clusteradmin/etc/grid-ca/keys/t3se01.psi.ch-key.pem for new request </pre> * to upload CSR request be registered on https://tl.quovadisglobal.com/subscriber/ interface (with email as login) * After you put the request in the system, it will be confirmed by CA administrator and in 1-2 days you will get mail notification with download instruction and be able to download the certificate. * copy downloaded certificate to the host as =/etc/grid-security/hostcert.pem= * useful commands: <pre> openssl x509 -noout -modulus -in /etc/grid-security/hostcert.pem | openssl md5 openssl rsa -noout -modulus -in /etc/grid-security/hostkey.pem | openssl md5 openssl x509 -subject -in /etc/grid-security/hostcert.pem openssl x509 -enddate -in /etc/grid-security/hostcert.pem --noout </pre> * *Certificate renewal*: According to https://tl.quovadisglobal.com/clientadmin/content/TLE_V2_Subscriber_Manual.pdf Trust/Link will send you reminder emails leading up to the expiry of your SSL certificate. These emails are sent 30 days, 14 day, and 1 day before expiry.
Attachments
Attachments
Topic attachments
I
Attachment
History
Action
Size
Date
Who
Comment
pdf
Antragsformular-EUgridPMA-Zertifikat-v01.pdf
r1
manage
300.7 K
2020-03-23 - 11:10
NinaLoktionova
This topic: CmsTier3
>
HostCertificates
>
GridHostCert
Topic revision: r5 - 2020-05-04 - NinaLoktionova
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback