[Go to Home] Cert Management & Update

The GetCerts interim package

This package contains one perl script get_certificates, that contains the CA configuration for Globus. The script will download or refresh the CRL from a plain http url and write a ca-signing-policy.conf file for you. Provided, of coarse, that the config information in the script is set correctly. Please see the first comments in the script for brief usage information. Running get_certificates will overwrite your ca-signing-policy.conf file!

The script will also check for the following common events:

  • CA cert modified - if the CA cert stored locally is different from the cert as available from the URL mentioned in the cert hash entry, it will issue a warning and will remove this ca from the ca-signing-policy.conf file.
  • CA cert or CRL outdated - if the ca cert or the CRL is out of date, a warning will be issued and the CA will be removed from the ca-signing-policy.conf file.
  • CRL failed verify - the new CRL retreived from the web failed the verification against the locally available ca cert. The downloaded CRL is ignored and a warning issued
The script will not modify a local ca cert. Always retreive the ca cert by hand and copy it to the repository under its proper name: cacert-caid.pem. If you really want, you can force retreival of a ca cert by specifying the --reloadcerts=symname-regex option like:
perl ./getcerts.pl --reloadcerts=cnrs-top --now
Note that not all CA certs are available on-line in a retreivable fashion.

You should not use the ca certs included as-is[1], since this poses a security risk. Please download the CA certs yourself, verify their integrety and only then store them in the directory with the proper name. I accept no responsibility with regard to the actual certs in the package. You can always verify them using the DataGrid WP6 web pages.


The script will wait up to 10 minutes before staring the process. This will help balancing the load on the CA web servers if end-users start running this script from crontab (usually people are not very inventive in picking a time-to-start).


For the script to work properly, you need OpenSSL installed (at least version 0.9.5a) and have a perl5 installation with the packages LWP::UserAgent and HTTP::Request installed (the standard ASIS distribution from CERN will do fine).

Comments to: David Groep.


Most recent version is . Download:

Relevant Globus releases (verified)1.1.2, 1.1.3, 1.1.3b14
Creation dateMarch 15, 2001
June 5, 2001
August 28, 2001
Author(s)David Groep

1) Unless you got the tarball from the SSL-secured site and verified the finger print on the CA you imported in Netscape. (for DutchGrid admins only, the address was sent to you by e-mail)

Comments to David Groep