letsencrypt-certificates

You get user certificates from CILogon but you also need host certificates. You looked over the list of IGTF CAs but they don't meet your needs. Why not use the Let's Encrypt CA? How do you set up /etc/grid-security?

Getting your host certificate

Follow the Let's Encrypt Getting Started guide.

For example:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt/
./letsencrypt-auto --debug certonly --standalone --email [email protected] -d example.org
# cert in /etc/letsencrypt
# then before it expires...
./letsencrypt-auto renew

Setting up /etc/grid-security/host*.pem

ln -s /etc/letsencrypt/live/*/cert.pem /etc/grid-security/hostcert.pem
ln -s /etc/letsencrypt/live/*/privkey.pem /etc/grid-security/hostkey.pem
chmod 0600 /etc/letsencrypt/archive/*/privkey*.pem # ugh!

Setting up /etc/grid-security/certificates

git clone https://github.com/cilogon/letsencrypt-certificates.git
cd letsencrypt-certificates/
make check
sudo make install

Caveats

Like other Internet CAs and unlike IGTF CAs, Let's Encrypt issues end entity certificates with subject DNs outside a controlled namespace (i.e., "/CN=*"), so the signing_policy file is not enforcing a strong namespace restriction.

Let's Encrypt does not issue CRLs for end-entity certificates (see the Certification Practice Statement).

Make sure to have a process in place to renew your certificates (e.g., Certbot).

Troubleshooting

# hostname
example.org
# grid-proxy-init -debug -verify -cert /etc/grid-security/hostcert.pem -key /etc/grid-security/hostkey.pem -hours 1 -out /tmp/hostcerttest
 
User Cert File: /etc/grid-security/hostcert.pem
User Key File: /etc/grid-security/hostkey.pem
 
Trusted CA Cert Dir: /etc/grid-security/certificates
 
Output File: /tmp/hostcerttest
Your identity: /CN=example.org
Creating proxy ......++++++
.....++++++
Done
Proxy Verify OK
# openssl verify -CApath /etc/grid-security/certificates /etc/grid-security/hostcert.pem 
/etc/grid-security/hostcert.pem: OK
# if [ "`openssl x509 -in /etc/grid-security/hostcert.pem -noout -modulus`" = "`openssl rsa -in /etc/grid-security/hostkey.pem -noout -modulus`" ]; then echo "Match"; else echo "Different"; fi
Match
# openssl x509 -subject -noout -in /etc/grid-security/hostcert.pem 
subject= /CN=example.org

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

letsencrypt-certificates

Getting your host certificate

Setting up /etc/grid-security/host*.pem

Setting up /etc/grid-security/certificates

Caveats

Troubleshooting

About

Releases

Packages

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 44 Commits
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
isrg-root-x2.crl_url		isrg-root-x2.crl_url
isrg-root-x2.signing_policy		isrg-root-x2.signing_policy
isrgrootx1.crl_url		isrgrootx1.crl_url
isrgrootx1.signing_policy		isrgrootx1.signing_policy
lets-encrypt-e5.signing_policy		lets-encrypt-e5.signing_policy
lets-encrypt-e6.signing_policy		lets-encrypt-e6.signing_policy
lets-encrypt-e7.signing_policy		lets-encrypt-e7.signing_policy
lets-encrypt-e8.signing_policy		lets-encrypt-e8.signing_policy
lets-encrypt-e9.signing_policy		lets-encrypt-e9.signing_policy
lets-encrypt-r10.signing_policy		lets-encrypt-r10.signing_policy
lets-encrypt-r11.signing_policy		lets-encrypt-r11.signing_policy
lets-encrypt-r12.signing_policy		lets-encrypt-r12.signing_policy
lets-encrypt-r13.signing_policy		lets-encrypt-r13.signing_policy
lets-encrypt-r14.signing_policy		lets-encrypt-r14.signing_policy
lets-encrypt-r3.signing_policy		lets-encrypt-r3.signing_policy
lets-encrypt-r4.signing_policy		lets-encrypt-r4.signing_policy

License

Debian/opensciencegrid-letsencrypt-certificates

Folders and files

Latest commit

History

Repository files navigation

letsencrypt-certificates

Getting your host certificate

Setting up /etc/grid-security/host*.pem

Setting up /etc/grid-security/certificates

Caveats

Troubleshooting

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages