ESGF Certificate Management

If you wish to extend your temporary CA certificate (for standalone testing only): --update-temp-ca

If you want to install a commercial CA issued certificate: --install-keypair <certificate file> <key file>

When prompted for the cachain file, specify the chain file provided by your CA

If you wish to generate CSRs for a simpleCA CA certificate and/or web container certificate: --generate-esgf-csrs

If you wish to generate CSRs for a node other than the one you are running, you could use --generate-esgf-csrs-ext

If you wish to install ESGF certificates:

  1. untar the entire contents of the tarball you received from Prashanth into /etc/esgfcerts

  2. --install-local-certs

  3. If you also have locally issued certificates for the webcontainer: --install-keypair /etc/esgfcerts/hostcert.pem /etc/esgfcerts/hostkey.pem

    When prompted for the cachain file, specify /etc/esgfcerts/cachain.pem

  4. If you have certificates for your webcontainer, issued by a commercial CA, ensure you have the following:

    1. Certificate and key files
    2. CA chain file.

    Ensure that your CA chain file is complete with this command: openssl verify -verbose -purpose sslserver -CAfile <cachainfile> <certificate file>

    You should simply get a one line response that looks like this: <certificate file: OK>

    If you have errors, your chain file is not complete. Contact your certificate provider for assistance, or email with ‘Help needed with CA chainfile construction’ in the subject line, attaching your public certificate (NOT KEY!!!) and the CA’s certificate or the chain file that you have.