Hi Petar, There's a hierarchy of TERENA CAs, and you need to have the full CA hierarchy installed in /etc/grid-security/certificates.
For example: $ openssl x509 -subject -issuer -noout < ff783690.0 subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root There are links to each CA in the "certificate chain" at http://www.terena.org/activities/tcs/repository/ But it'd probably be easier to install the CAs you need from the current IGTF distribution at https://dist.eugridpma.org/distribution/current/ because that will give you the .signing_policy files too. Also, I recommend that you use the TERENA "eScience" CAs for grid applications. -Jim P.S. For TERENA CA questions, I suggest posting on the t...@terena.org mailing list (http://www.terena.org/activities/tcs/mailing-lists.html). On 6/24/11 10:00 AM, Forai, Petar wrote: > Dear list, > > We're in the process of setting up a simple GridFTP infrastructure for use > with GlobusOnline. For this we've got a gridftp and myproxy host set up. > However we're struggling to get the proper CA setup with Globus running. For > testing purposes we've been trying to copy files via gsiftp from the gridftp > to the myproxy machine (as both have host certificates signed by the same CA). > > We're not able to roll our own CA and have to use TERENA SSL provided by our > NREN for signing hosts. > > The ``/etc/grid-security/certificates/'' directory looks like: > > 9df51c42.0 9df51c42.signing_policy TERENA_SSL_CA.pem > > where the hash was generated by running ``$GLOBUS_LOCATION/bin/openssl x509 > -hash -noout < TERENA_SSL_CA.pem'' > Of course both hosts have a proper ``hostkey.pem'' and ``hostcert.pem'' in > ``/etc/grid-security/'' signed by TERENA SSL CA. > > > I'm getting an error from ``globus-url-copy'' which complains about a not > found CA certificate with another hash (``ff783690'' as opposed to > ``9df51c42'') as seen here: > > error: globus_ftp_control: gss_init_sec_context failed > OpenSSL Error: s3_clnt.c:983: in library: SSL routines, function > SSL3_GET_SERVER_CERTIFICATE: certificate verify failed > globus_gsi_callback_module: Could not verify credential > globus_gsi_callback_module: Can't get the local trusted CA certificate: > Cannot find trusted CA certificate with hash ff783690 in > /etc/grid-security/certificates > > > When I check the host certs they where signed by the same CA and the CN > strings etc match. Can anyone explain what I'm missing here? I know that I'm > not even at the step where user certificates come into play but I wanted to > see if the host communication/setup was working before I proceed to molest my > NREN to give me per user certificates. > > > TIA! > > P > > > > Petar Forai — GMI IT/HPC Engineer > mailto: petar.fo...@gmi.oeaw.ac.at > GPG/PGP-Fingerprint: F4D15 F20B 6BB0 F68D 9580 2828 D17D BB4E 4DFF B82B
