The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Tools/Manuals/TS14
Jump to navigation
Jump to search
Back to Troubleshooting Guide
Host certificate update
Introduction
Updating the host certificate in /etc/grid-security is not always sufficent: some services have a copy of this certificate which they started with. Some services need to be restarted when their certificate changes.
This page gives some examples.
Location and ownership of copies
Copies of the host certificate and key in general have the following rights: 644 for the public key (the certificate) and 600 for the private key.
- FTS
-rw-r--r-- 1 glite root 4599 Apr 17 10:47 /etc/grid-security/glite-data-transfer-agents-cert.pem -r-------- 1 glite root 887 Apr 17 10:47 /etc/grid-security/glite-data-transfer-agents-key.pem -rw-r--r-- 1 tomcat root 4599 Jan 16 10:57 /etc/grid-security/tomcat-cert.pem -r-------- 1 tomcat root 887 Jan 16 10:57 /etc/grid-security/tomcat-key.pem
- LFC
-rw-r--r-- 1 lfcmgr lfcmgr 4689 May 30 2006 /etc/grid-security/lfcmgr/lfccert.pem -r-------- 1 lfcmgr lfcmgr 902 May 30 2006 /etc/grid-security/lfcmgr/lfckey.pem
- VOMS
-rw-r--r-- 1 tomcat root 4624 Mar 27 15:45 /etc/grid-security/tomcat-cert.pem -r-------- 1 tomcat root 891 Mar 27 15:45 /etc/grid-security/tomcat-key.pem
Examples of services to be restarted
- FTS
- tomcat
- transfer-agents
- LCG-CE
- gatekeeper
- LFC
- Nothing to restart
- MyProxy
- Nothing to restart
- VOMS
- tomcat
- gLite
- in case of change of certificate DN - the DN is registered in the VOMS database, so you need to update it:
$ mysql -h <DB_HOST> -u <DB_USER> -p mysql> use voms_<VO name>; mysql> update admins set dn="<new DN>" where dn like "%<old DN>%"; mysql> exit