Project

General

Profile

cert_renew

Basic usage:

cert_renew -h "moth.hep.manchester.ac.uk" request

Gives you output like:

--certificate=samcert_request.pem --output=samcert_request.out --vo=DZero --name=MARC_MENGEL --email=sam-oncall@fnal.gov --phone=+1-630-840-8256
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3038  100  1857  100  1181    606    385  0:00:03  0:00:03 --:--:--  1271
Submission request id: fixed.requestId = "75534";
certificate request succeeded on moth.hep.manchester.ac.uk
--certificate=gridftp/hostcert_request.pem --output=gridftp/hostcert_request.out --vo=DZero --name=MARC_MENGEL --email=sam-oncall@fnal.gov --phone=+1-630-840-8256
find: warning: Unix filenames usually don't contain slashes (though pathnames do).  That means that '-name gridftp/hostcert_request.out' will probably evaluate to false all the time on this system.  You might find the '-wholename' test more useful, or perhaps '-samefile'.  Alternatively, if you are using GNU grep, you could use 'find ... -print0 | grep -FzZ gridftp/hostcert_request.out'.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 36  3042    0     0  100  1185      0    484  0:00:02  0:00:02 --:--:--   936Submission request id: fixed.requestId = "75535";
certificate request succeeded on moth.hep.manchester.ac.uk
100  3042  100  1857  100  1185    759    484  0:00:02  0:00:02 --:--:--  1467

wait for the cert request approvals (for 75534, and 75535, above) (you can check at
http://pki1.doegrids.org/ca/checkRequest.html) then:

cert_renew -h "moth.hep.manchester.ac.uk" install

You can give multiple hosts, whitespace separated.

You can also explicitly say whether to do "sam" or "host" or "gridftp/host"
certs with the -t command option.

It tries to ssh in as sam to do this, so make sure you have ssh setup for that...

It likes the command-line "telephone" script available via ups so it can look up your full name etc. for the request.

http://pki1.doegrids.org/ca/checkRequest.html

to see if it's ready yet.

If it goes wrong, it's usually something like:

$ cert_renew -h "moth.hep.manchester.ac.uk" request
ERROR: moth.hep.manchester.ac.uk has a samcert.pem but no matching cert_request.pem
ERROR: moth.hep.manchester.ac.uk has a gridftp/hostcert.pem but no matching cert_request.pem
find: warning: Unix filenames usually don't contain slashes (though pathnames do).  That means that '-name gridftp/hostcert_request.out' will probably evaluate to false all the time on this system.  You might find the '-wholename' test more useful, or perhaps '-samefile'.  Alternatively, if you are using GNU grep, you could use 'find ... -print0 | grep -FzZ gridftp/hostcert_request.out'.

so if you look on that system:

 ssh sam@moth.hep.manchester.ac.uk
Last login: Mon Aug  1 23:28:18 2011 from bel-kwinith.fnal.gov
[sam@moth ~]$ cd private/gsi
[sam@moth gsi]$ ls
butterfly_samcert.pem  gridftp               oldcerts             samkey.pem      srm_proxy
butterfly_samkey.pem   jim_gridftp           request_output.html  samserver.cert  x509up_u500
certificates           mothcert_request.pem  samcert.pem          samserver.key
[sam@moth gsi]$ 

you see that it's called "mothcert_request.pem" instead of "samcert_request.pem", check with:
[sam@moth gsi]$ openssl req -text -in mothcert_request.pem 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=org, DC=doegrids, OU=Services, CN=sam/moth.hep.manchester.ac.uk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
...

to make sure, and rename it.
[sam@moth gsi]$ mv mothcert_request.pem  samcert_request.pem

similarly look for hostcert_request.pem in private/gsi/gridftp...