Discussion:
[AG-TECH] Requesting a new certificate or running a VenueServer without.
Miguel Sáez Llorente
2014-05-28 07:35:20 UTC
Permalink
Hello everyone!

My venue server certificate is about to expire within the next few days.
I'm trying to request a new certificate but it seems the certificate
authority server isn't up yet. If it didn't get already fixed i guess it
won't be soon enough so i'm wondering if there is any way to run a Venue
Server without a certificate?.

Thanks,
--
====================================================================
Miguel A. Sáez Llorente
Soporte tareas multimedia - ATIC

Univ. Santiago de Compostela (USC)
Rúa de José María Suárez Núñez (Campus Sur) - Pavellón de Servicios
15705 Santiago de Compostela - SPAIN

E-mail: ***@usc.es
Tel: ext. 13035 / Directo (+34) 881813035
Tel AG: ext. 16273 / Directo (+34) 881816273
Movil Personal: (+34) 634531716
Fax: (+34) 981547070
Web: http://www.usc.es/atic
====================================================================
Christoph Willing
2014-05-29 09:57:44 UTC
Permalink
Sending again for list ..

chris


-------- Original Message --------
Subject: Re: [AG-TECH] Requesting a new certificate or running a
VenueServer without.
Date: Thu, 29 May 2014 19:51:04 +1000
From: Christoph Willing <***@iinet.net.au>
To: Miguel Sáez Llorente <***@usc.es>

Although the complete authority server infrastructure isn't set up yet,
the core of it is ready. We have a new CA and a mechanism for signing
certificate requests. If you want to use it, the necessary steps
currently are:

1. Download the two CA files from:
http://www.ap-accessgrid.org/CA/
(the README has md5sums for them) and copy them into
/etc/AccessGrid/Config/CAcertificates directory. They will be used
automatically by new users (who don't yet have a ~/.AccessGrid directory
tree). Established users will have to run certmgr3 (certmgr3.py on some
systems), enter "ca" to go into CA mode, then import the .0 file you
just downloaded)

2. Create a certificate request - in a terminal run:
openssl req -newkey rsa:512 -nodes -out cert.csr -keyout cert.key
and answer the questions (leave password empty for server usage). When
complete this will generate 2 files, cert.csr and cert.key (you can give
them more meaningful names if you like). Keep the .key file safe (you'll
need it later) and send the .csr file here (I hope this list allows
attachments) or directly to me. I will sign the request and email your
certificate file (as a .pem file) to you.

3. When you receive the .pem file, copy it to wherever you're keeping
the .key file, then from that directory run certmgr3.py - this time stay
in id mode and then go:
import cert.pem cert.key
(or whatever the names of .pem & .key files are).

4. If you now have multiple id certificates, you'll need to make the new
certificate the default e.g.
default 2
(the number depends on output from certmgr3's list command)

That should be all ..

chris
Post by Miguel Sáez Llorente
Hello everyone!
My venue server certificate is about to expire within the next few days.
I'm trying to request a new certificate but it seems the certificate
authority server isn't up yet. If it didn't get already fixed i guess it
won't be soon enough so i'm wondering if there is any way to run a Venue
Server without a certificate?.
Thanks,
Miguel Sáez Llorente
2014-06-02 07:18:53 UTC
Permalink
Hello,

I'm trying to follow your instructions but i can't import the new CA.

(CA mode) > import /etc/AccessGrid3/Config/CAcertificates/cb2c302e.0
/etc/AccessGrid3/Config/CAcertificates/cb2c302e.signing_policy
Error importing certificate from
/etc/AccessGrid3/Config/CAcertificates/cb2c302e.0: long too large to
convert to int

Thanks,
Post by Christoph Willing
Sending again for list ..
chris
-------- Original Message --------
Subject: Re: [AG-TECH] Requesting a new certificate or running a
VenueServer without.
Date: Thu, 29 May 2014 19:51:04 +1000
Although the complete authority server infrastructure isn't set up yet,
the core of it is ready. We have a new CA and a mechanism for signing
certificate requests. If you want to use it, the necessary steps
http://www.ap-accessgrid.org/CA/
(the README has md5sums for them) and copy them into
/etc/AccessGrid/Config/CAcertificates directory. They will be used
automatically by new users (who don't yet have a ~/.AccessGrid directory
tree). Established users will have to run certmgr3 (certmgr3.py on some
systems), enter "ca" to go into CA mode, then import the .0 file you
just downloaded)
openssl req -newkey rsa:512 -nodes -out cert.csr -keyout cert.key
and answer the questions (leave password empty for server usage). When
complete this will generate 2 files, cert.csr and cert.key (you can give
them more meaningful names if you like). Keep the .key file safe (you'll
need it later) and send the .csr file here (I hope this list allows
attachments) or directly to me. I will sign the request and email your
certificate file (as a .pem file) to you.
3. When you receive the .pem file, copy it to wherever you're keeping
the .key file, then from that directory run certmgr3.py - this time stay
import cert.pem cert.key
(or whatever the names of .pem & .key files are).
4. If you now have multiple id certificates, you'll need to make the new
certificate the default e.g.
default 2
(the number depends on output from certmgr3's list command)
That should be all ..
chris
Post by Miguel Sáez Llorente
Hello everyone!
My venue server certificate is about to expire within the next few days.
I'm trying to request a new certificate but it seems the certificate
authority server isn't up yet. If it didn't get already fixed i guess it
won't be soon enough so i'm wondering if there is any way to run a Venue
Server without a certificate?.
Thanks,
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
accessgrid-tech mailing list
https://lists.sourceforge.net/lists/listinfo/accessgrid-tech
--
====================================================================
Miguel A. Sáez Llorente
Soporte tareas multimedia - ATIC

Univ. Santiago de Compostela (USC)
Rúa de José María Suárez Núñez (Campus Sur) - Pavellón de Servicios
15705 Santiago de Compostela - SPAIN

E-mail: ***@usc.es
Tel: ext. 13035 / Directo (+34) 881813035
Tel AG: ext. 16273 / Directo (+34) 881816273
Movil Personal: (+34) 634531716
Fax: (+34) 981547070
Web: http://www.usc.es/atic
====================================================================
Christoph Willing
2014-06-02 09:21:36 UTC
Permalink
Hi Miguel,

I thought I had taken that problem into account when I created this
latest CA but evidently not. I will have to investigate the cause of the
problem some more.

In the meantime, could you try a little test please? Change the name of
~/.AccessGrid to something else e.g. ~/.AccessGrid_XXX. With no other AG
applications running, run certmgr (or certmgr3.py). That will create a
new ~/.AccessGrid tree. Don't try to explicitly load any CA, just list
the CA's. Has the new one been loaded automatically?


Tom, if you're reading ...
We saw that problem some time ago with a new (at that time) CA from
ANL but you were able to issue a corrected CA. Do you recall how you
overcame this problem when creating the new CA? I thought I had allowed
for it by adding a 12 digit hex parameter to -set_serial argument of the
"openssl req -new -x509 ..." command I used to generate the CA. That
actually fixed the problem locally but looks like not globally. Any
other ideas?

chris
Post by Miguel Sáez Llorente
Hello,
I'm trying to follow your instructions but i can't import the new CA.
(CA mode) > import /etc/AccessGrid3/Config/CAcertificates/cb2c302e.0
/etc/AccessGrid3/Config/CAcertificates/cb2c302e.signing_policy
Error importing certificate from
/etc/AccessGrid3/Config/CAcertificates/cb2c302e.0: long too large to
convert to int
Thanks,
Post by Christoph Willing
Sending again for list ..
chris
-------- Original Message --------
Subject: Re: [AG-TECH] Requesting a new certificate or running a
VenueServer without.
Date: Thu, 29 May 2014 19:51:04 +1000
Although the complete authority server infrastructure isn't set up yet,
the core of it is ready. We have a new CA and a mechanism for signing
certificate requests. If you want to use it, the necessary steps
http://www.ap-accessgrid.org/CA/
(the README has md5sums for them) and copy them into
/etc/AccessGrid/Config/CAcertificates directory. They will be used
automatically by new users (who don't yet have a ~/.AccessGrid directory
tree). Established users will have to run certmgr3 (certmgr3.py on some
systems), enter "ca" to go into CA mode, then import the .0 file you
just downloaded)
openssl req -newkey rsa:512 -nodes -out cert.csr -keyout cert.key
and answer the questions (leave password empty for server usage). When
complete this will generate 2 files, cert.csr and cert.key (you can give
them more meaningful names if you like). Keep the .key file safe (you'll
need it later) and send the .csr file here (I hope this list allows
attachments) or directly to me. I will sign the request and email your
certificate file (as a .pem file) to you.
3. When you receive the .pem file, copy it to wherever you're keeping
the .key file, then from that directory run certmgr3.py - this time stay
import cert.pem cert.key
(or whatever the names of .pem & .key files are).
4. If you now have multiple id certificates, you'll need to make the new
certificate the default e.g.
default 2
(the number depends on output from certmgr3's list command)
That should be all ..
chris
Post by Miguel Sáez Llorente
Hello everyone!
My venue server certificate is about to expire within the next few days.
I'm trying to request a new certificate but it seems the certificate
authority server isn't up yet. If it didn't get already fixed i guess it
won't be soon enough so i'm wondering if there is any way to run a Venue
Server without a certificate?.
Thanks,
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
accessgrid-tech mailing list
https://lists.sourceforge.net/lists/listinfo/accessgrid-tech
Miguel Sáez Llorente
2014-06-02 10:43:41 UTC
Permalink
Hi Chris,

I did what you asked for and the new certificate i got into
/etc/AccessGrid3/Config/CAcertificates/ isn't being loaded .

Thanks,
Post by Christoph Willing
Hi Miguel,
I thought I had taken that problem into account when I created this
latest CA but evidently not. I will have to investigate the cause of
the problem some more.
In the meantime, could you try a little test please? Change the name
of ~/.AccessGrid to something else e.g. ~/.AccessGrid_XXX. With no
other AG applications running, run certmgr (or certmgr3.py). That will
create a new ~/.AccessGrid tree. Don't try to explicitly load any CA,
just list the CA's. Has the new one been loaded automatically?
Tom, if you're reading ...
We saw that problem some time ago with a new (at that time) CA
from ANL but you were able to issue a corrected CA. Do you recall how
you overcame this problem when creating the new CA? I thought I had
allowed for it by adding a 12 digit hex parameter to -set_serial
argument of the "openssl req -new -x509 ..." command I used to
generate the CA. That actually fixed the problem locally but looks
like not globally. Any other ideas?
chris
Post by Miguel Sáez Llorente
Hello,
I'm trying to follow your instructions but i can't import the new CA.
(CA mode) > import /etc/AccessGrid3/Config/CAcertificates/cb2c302e.0
/etc/AccessGrid3/Config/CAcertificates/cb2c302e.signing_policy
Error importing certificate from
/etc/AccessGrid3/Config/CAcertificates/cb2c302e.0: long too large to
convert to int
Thanks,
Post by Christoph Willing
Sending again for list ..
chris
-------- Original Message --------
Subject: Re: [AG-TECH] Requesting a new certificate or running a
VenueServer without.
Date: Thu, 29 May 2014 19:51:04 +1000
Although the complete authority server infrastructure isn't set up yet,
the core of it is ready. We have a new CA and a mechanism for signing
certificate requests. If you want to use it, the necessary steps
http://www.ap-accessgrid.org/CA/
(the README has md5sums for them) and copy them into
/etc/AccessGrid/Config/CAcertificates directory. They will be used
automatically by new users (who don't yet have a ~/.AccessGrid directory
tree). Established users will have to run certmgr3 (certmgr3.py on some
systems), enter "ca" to go into CA mode, then import the .0 file you
just downloaded)
openssl req -newkey rsa:512 -nodes -out cert.csr -keyout cert.key
and answer the questions (leave password empty for server usage). When
complete this will generate 2 files, cert.csr and cert.key (you can give
them more meaningful names if you like). Keep the .key file safe (you'll
need it later) and send the .csr file here (I hope this list allows
attachments) or directly to me. I will sign the request and email your
certificate file (as a .pem file) to you.
3. When you receive the .pem file, copy it to wherever you're keeping
the .key file, then from that directory run certmgr3.py - this time stay
import cert.pem cert.key
(or whatever the names of .pem & .key files are).
4. If you now have multiple id certificates, you'll need to make the new
certificate the default e.g.
default 2
(the number depends on output from certmgr3's list command)
That should be all ..
chris
Post by Miguel Sáez Llorente
Hello everyone!
My venue server certificate is about to expire within the next few days.
I'm trying to request a new certificate but it seems the certificate
authority server isn't up yet. If it didn't get already fixed i guess it
won't be soon enough so i'm wondering if there is any way to run a Venue
Server without a certificate?.
Thanks,
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
accessgrid-tech mailing list
https://lists.sourceforge.net/lists/listinfo/accessgrid-tech
--
====================================================================
Miguel A. Sáez Llorente
Soporte tareas multimedia - ATIC

Univ. Santiago de Compostela (USC)
Rúa de José María Suárez Núñez (Campus Sur) - Pavellón de Servicios
15705 Santiago de Compostela - SPAIN

E-mail: ***@usc.es
Tel: ext. 13035 / Directo (+34) 881813035
Tel AG: ext. 16273 / Directo (+34) 881816273
Movil Personal: (+34) 634531716
Fax: (+34) 981547070
Web: http://www.usc.es/atic
====================================================================
Loading...