create new tag
view all tags

This page is an up-to-date version of ObtainingHostCertificates

TODO Obtaining host certificates for Grid servers

Our host certificates are issued by the EGIEU CA.

Email request should be sent from CERN account. The following list of CERN Authorities should be recorded to enable digital signing with user certificate:

  • CERN Grid Certification Authority;
  • CERN Certification Authority;
  • CERN Root Certification Authority 2;

The keys and certificates are stored in a directory structure on the admin node

  • /root/clusteradmin/etc/hostkeys: contains helper scripts
  • /root/clusteradmin/etc/hostkeys/egieu/: contains key files, csr requests for the present EGi EU CA that is valid since 2016
  • =/root/clusteradmin/etc/hostkeys/switch-QuoVadis/: OBSOLETE. contains certificates for the years when the Swiss CA resided at QuoVadis. Do not use any more

In /root/clusteradmin/etc/hostkeys on t3admin02 there is a helper script create_keys.sh and an openssl config file openssl.cnf which will help you to get rid of most of the typing for producing the required certificate request files for new machines.

TODO Renewing host certificates

Currently renewing a certificate involves again filling out a complete registration request. I reuse the old server keys and just copy again the old CSR files into the forms. If you want to see the content of a CSR file you can run the command:

openssl req -in ./t3se02.psi.ch-csr.pem  -text

Certificates for Phedex (t3cmsvobox01)

Please look at PhedexInstructions2019

Certificates for LDAP service and LDAP clients

The ldap service and client certificates are special in the sense that they are based upon our own Tier-3 CA (this is a historic remnant.)

The machinery for using that CA is located on the t3admin02 node in /root/clusteradmin/etc/cluster-ca

You will find a readme there containing

Use the cluster-ca.sh script to produce the certificate.

The config files are already prepared. Just use something like
    ./cluster-ca.sh -r ./pki -s t3admin01.psi.ch

The certificates are then found under the ./pki/certs directory. You may have
to first remove any old cert and csr files for that node (e.g. if you want to
renew). The script will tell you.


cluster-ca.sh help text:
         cluster-ca.sh [options] --rootca
         cluster-ca.sh [options] -s server.domain.org

         -r path      : Path to repository directory (/root/clusteradmin/etc/cluster-ca/test-CA)

         -s hostname  : server hostname for which to produce a cert
         -t template  : template SSL config name to use for producing server
                        request and cert files (default.cnf)
         -d           : debug mode


For producing a Certificate for our LDAP master server:
First copy away the old cert /root/clusteradmin/etc/cluster-ca/pki/certs/t3admin01.psi.ch-cert.pem
(leave the key in place!!!), and then run
./cluster-ca.sh -r ./pki -s t3admin01.psi.ch

Producing a certificate for the LDAP service

On t3admin02 go to the following directory

cd /root/clusteradmin/etc/cluster-ca 

Ensure that the CA root certificate is still OK:

openssl x509 -in /root/clusteradmin/etc/cluster-ca/pki/rootca/rootca-cert.pem -dates -subject -noout

notBefore=Apr  1 12:16:43 2019 GMT
notAfter=Mar 30 12:16:43 2024 GMT
subject= /C=CH/ST=Aargau/L=Villigen/O=PSI/CN=PSI CMS Tier-3 Cluster Root CA

The CA root certificate is distributed to all client nodes (basically all cluster nodes). Without it, our CA will not be accepted on the nodes. If the CA root certificate needs to be regenerated, you must copy it to all the client nodes (and also to the LDAP server).

  • for SL6 nodes that use nslcd: copy it to /etc/openldap/certs/08a2f47c.0 (The filename is a hash that is obtained by using openssl x509 -noout -hash -in rootca-cert.pem).
  • for SL7 nodes using sssd: copy it to /etc/openldap/cacerts/cacert.pem

Now we can generate the new service certificate for LDAP (or for another service).

 cd /root/clusteradmin/etc/cluster-ca

 # move the old cert and the old csr (signing request) away. Usually you should keep the existing key!!!
 mv pki/certs/t3ldap01.psi.ch-cert.pem pki/certs/OLD-CERTS/t3ldap01.psi.ch-csr.pem.till20190715
 mv pki/certs/t3ldap01.psi.ch-csr.pem pki/certs/OLD-CERTS/t3ldap01.psi.ch-cert.pem.till20190715

 # generate the cert
 ./cluster-ca.sh -r ./pki -s t3ldap01.psi.ch

The resulting certificate will be generated under /pki/certs. The signing is done with the root CA certificate that is stored within pki/rootca based on the template in pki/template.

Note: Conf file (./pki/certs/t3ldap01.psi.ch.cnf) already exists for this server. Will use old one
Note: Keyfile (./pki/certs/t3ldap01.psi.ch-key.pem) already exists. Using old one
/usr/bin/openssl req -new -key ./pki/certs/t3ldap01.psi.ch-key.pem -sha256 -out ./pki/certs/t3ldap01.psi.ch-csr.pem -config ./pki/certs/t3ldap01.psi.ch.cnf
/usr/bin/openssl x509 -req -in ./pki/certs/t3ldap01.psi.ch-csr.pem -sha256 -extfile ./pki/certs/t3ldap01.psi.ch.cnf -extensions certificate_extensions -CA ./pki/rootca/rootca-cert.pem -CAkey ./pki/rootca/rootca-key.pem -CAcreateserial -passin file:./pki/rootca/rootca.pwd -out ./pki/certs/t3ldap01.psi.ch-cert.pem -days 365
Signature ok
subject=/C=CH/ST=Aargau/L=Villigen/O=PSI CMS Tier-3/CN=t3ldap01.psi.ch
Getting CA Private Key
subject= /C=CH/ST=Aargau/L=Villigen/O=PSI CMS Tier-3/CN=t3ldap01.psi.ch
notBefore=Jul 15 09:51:59 2019 GMT
notAfter=Jul 14 09:51:59 2020 GMT
issuer= /C=CH/ST=Aargau/L=Villigen/O=PSI/CN=PSI CMS Tier-3 Cluster Root CA

Then copy the certificate (and potentially also the key, if you changed it) to the LDAP service:

scp  /root/clusteradmin/etc/cluster-ca/pki/certs/t3ldap01.psi.ch-cert.pem t3ldap01:/etc/pki/tls/certs/slapd-cert.pem

The location of the LDAP service certificate is defined in the slapd configuration file /etc/openldap/slapd.conf

Log in to the LDAP server and Confirm that the dates look right:

openssl x509 -in /etc/pki/tls/certs/slapd-cert.pem  -subject -dates -noout 

Restart ldap to make it reread its certificate and key:

/etc/init.d/ldap restart

from any client node (e.g. UI) test whether the certificate is active in the service by using openssl to retrieve and interpret the certificate directly from the service!

echo | openssl  s_client  -connect  t3ldap01.psi.ch:636 2> /dev/null | openssl x509 -subject -dates -noout

-- DerekFeichtinger - 2019-07-15

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2019-07-16 - NinaLoktionova
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback