349 | | 2a. Move the trusted_roots directory to /home/johren/.globus/certificates. |
350 | | |
351 | | 2b. Determine the hash for the certificate and create the link |
352 | | {{{ |
353 | | }}} |
354 | | |
355 | | 2c. Create the signing_policy file and create a hash link for this. |
356 | | {{{ |
| 349 | 2a. Go to the trusted_)roots directory |
| 350 | {{{ |
| 351 | cd trusted_roots |
| 352 | }}} |
| 353 | |
| 354 | 2b. For each certificate, determine the hash for the certificate and create the link |
| 355 | {{{ |
| 356 | globus@pc-0:~/irodscerts/trusted_roots$ openssl x509 -in ch-cert.pem -hash -noout |
| 357 | 0894ffd6 |
| 358 | globus@pc-0:~/irodscerts/trusted_roots$ ln -s ch-cert.pem 0894ffd6.0 |
| 359 | }}} |
| 360 | |
| 361 | 2c. Determine the subject of each certificate |
| 362 | {{{ |
| 363 | openssl x509 -in <certificate-file> -subject -noout |
| 364 | }}} |
| 365 | |
| 366 | 2d. Create the signing_policy file (e.g. ch-cert.signing_policy) with contents like the following (where access_id_CA is the subject of the CA found in step 2c). |
| 367 | {{{ |
| 368 | access_id_CA X509 '/CN=geni//gpo//gcf.authority.sa' |
| 369 | pos_rights globus CA:sign |
| 370 | cond_subjects globus '/*' |
| 371 | }}} |
| 372 | |
| 373 | 2e. Create a symlink to the signing policy using the hash determined above. |
| 374 | {{{ |
| 375 | ln -s ch-cert.signing_policy 0894ffd6.0 |
| 383 | Your CA certificate directory (e.g. trusted_roots) should looks something like this: |
| 384 | {{{ |
| 385 | pc:~/.globus/certificates% ls -l |
| 386 | total 28 |
| 387 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 11 Nov 28 09:33 0894ffd6.0 -> ch-cert.pem |
| 388 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 22 Nov 28 09:57 0894ffd6.signing_policy -> ch-cert.signing_policy |
| 389 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 11 Nov 28 09:33 18f0c2ad.0 -> ma-cert.pem |
| 390 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 22 Nov 28 09:57 18f0c2ad.signing_policy -> ma-cert.signing_policy |
| 391 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 10 Nov 28 09:32 aacaba34.0 -> cacert.pem |
| 392 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 21 Nov 28 09:56 aacaba34.signing_policy -> cacert.signing_policy |
| 393 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 916 Nov 28 09:31 cacert.pem |
| 394 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 111 Nov 28 09:53 cacert.signing_policy |
| 395 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 3023 Nov 28 09:31 CATedCACerts.pem |
| 396 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 834 Nov 28 12:31 ch-cert.pem |
| 397 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 116 Nov 28 09:54 ch-cert.signing_policy |
| 398 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 1273 Nov 28 09:31 ma-cert.pem |
| 399 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 111 Nov 28 09:55 ma-cert.signing_policy |
| 400 | }}} |