Host Certificates#

Hosts which run grid services (such as CEs, SEs, gridftp servers) need to have an X509 grid certificate in /etc/grid-security. Some services just use the host certificate /etc/grid-security/hostcert.*. Some use a copy of the host certificate in a subdirectory of /etc/grid-security (to make it readable by that service). Some may use a separate service certificate in a subdirectory.#


Puppet installs certificates from /etc/puppet/modules/certs/files.#

Creating Host Certificates#

To create a host certificate, you must first be authorized as a CMS (or GLOW) VO GridAdmin in the OSG Registration Authority. To get authorized, login [here] and click Request for GridAdmin Enrollment.#

Once authorized, on a login machine, the following command can be used to create a host certificate:#

osg-gridadmin-cert-request -H -v CMS

or (if you are authorized via GLOW rather than CMS)#

osg-gridadmin-cert-request -H -v GLOW

For a group of systems, the -f option can be used to specify a file containing a list of hosts.#

This command will create two files for each certificate, a private key and a public key. Move these files into /etc/puppet/modules/certs/files using destination filenames that match the naming scheme used for existing cases. Do not leave copies of the private keys lying around in public AFS directories.#

Running puppeteer hostname will push the new certificate to the host. Some services need to be restarted after the certificate is updated.#

Checking Host Certificate Expiration#

Icinga checks for expiring certificates. To see expired certificates, go to and click on Unhandled problems under Critical Services and look for Certificate expiration in the Service column.#

To see certificates that are in danger of expiring, click on N Warning under Services, sort the Services column and look for Certificate Expiration in a Warning state.#

To manually examine a certificate, including its expiration time, the following command can be used#

openssl x509 -text -noout -in /etc/grid-security/hostcert.pem