ESGF Certificate Management¶
If you wish to extend your temporary CA certificate (for standalone testing only):
esg_node.py --update-temp-ca
If you want to install a commercial CA issued certificate:
esg_node.py --install-keypair <certificate file> <key file>
When prompted for the cachain file, specify the chain file provided by your CA
If you wish to generate CSRs for a simpleCA CA certificate and/or web container certificate:
esg_node.py --generate-esgf-csrs
If you wish to generate CSRs for a node other than the one you are running, you could use
esg_node.py --generate-esgf-csrs-ext
If you wish to install ESGF certificates:
untar the entire contents of the tarball you received from Prashanth into /etc/esgfcerts
esg_node.py --install-local-certs
If you also have locally issued certificates for the webcontainer:
esg_node.py --install-keypair /etc/esgfcerts/hostcert.pem /etc/esgfcerts/hostkey.pem
When prompted for the cachain file, specify /etc/esgfcerts/cachain.pem
If you have certificates for your webcontainer, issued by a commercial CA, ensure you have the following:
- Certificate and key files
- CA chain file.
Ensure that your CA chain file is complete with this command:
openssl verify -verbose -purpose sslserver -CAfile <cachainfile> <certificate file>
You should simply get a one line response that looks like this: <certificate file: OK>
If you have errors, your chain file is not complete. Contact your certificate provider for assistance, or email esgf_iwt@llnl.gov with ‘Help needed with CA chainfile construction’ in the subject line, attaching your public certificate (NOT KEY!!!) and the CA’s certificate or the chain file that you have.