On Aug 11, 2008, at 12:46 PM, I8abyte wrote:
2) Show us the command (and output) you're using to check the
extensions
grid-cert-info:
Is that just "grid-cert-info", or "grid-cert-info -file /path/to/
proxy"? This stuff about trying to keep things secret is getting in
the way of debugging, and I don't think the things you're hiding are
things you need to keep secret. The only secret thing out of your
hostname, DN, public key, private key is your private key.
"grid-cert-info" all by itself will not show a path-length
restriction. Your certificate probably doesn't have one. But your
proxy will. Show both the command and the output of:
openssl x509 -in /tmp/x509up_u`id -u` -noout -text
Charles
<snip>
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Subject Key Identifier:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
X509v3 Certificate Policies:
Policy: 2.16.840.1.101.2.1.11.7
</snip>
3) Show us the output of `which grid-proxy-init` and `which openssl`
/opt/globus/4.2.0/bin/grid-proxy-init
and
/opt/globus/4.2.0/bin/openssl
4) Send the output of grid-cert-diagnostics
Checking Environment Variables
==============================
Checking if X509_CERT_DIR is set... /etc/grid-security/certificates/
Checking if X509_USER_CERT is set... no
Checking if X509_USER_KEY is set... no
Checking if X509_USER_PROXY is set... no
Checking Security Directories
==============================
Determining trusted cert path... /etc/grid-security/certificates/
Checking for cog.properties... not found
Checking Default Credentials
==============================
Determining certificate and key file names... ok
Certificate Path: "/home/xxxx/.globus/usercred.p12"
Key Path: "/home/xxxx/.globus/usercred.p12"
Reading pkcs12 credentials
Enter GRID pass phrase for this identity:
ok
Checking Certificate Subject... "/C=US/O=Maryland/OU=MPO/CN=xxxxxxxxx"
Checking cert... ok
Checking key... ok
Checking that certificate contains an RSA key... ok
Checking that private key is an RSA key... ok
Checking that public and private keys have the same modulus... ok
Checking certificate trust chain... ok
Checking trusted certificates...
==============================
Getting trusted certificate list...
Checking CA file /etc/grid-security/certificates/xxxxxxxx.0... ok
Verifying certificate chain for
"/etc/grid-security/certificates/xxxxxxxx.0"... ok
Checking CA file /etc/grid-security/certificates/yyyyyyyy.0... ok
Verifying certificate chain for
"/etc/grid-security/certificates/yyyyyyyy.0"... ok
Thanks,
Charles
On Aug 11, 2008, at 11:29 AM, I8abyte wrote:
BTW, I don't see any of those extensions on the proxy certs that I
generate (when I run grid-cert-info, "openssl x509" queries, etc.)
On Mon, Aug 11, 2008 at 12:19 PM, I8abyte <[EMAIL PROTECTED]>
wrote:
Thanks, I had to rephrase the question: as Charles alluded, how
does
one set the path length in the proxy cert? I tried the
grid-proxy-init "-path-length" option but that doesn't help and I
can't see how else to set it.
On Mon, Aug 11, 2008 at 10:57 AM, Joseph Bester
<[EMAIL PROTECTED]>
wrote:
On Aug 11, 2008, at 9:08 AM, I8abyte wrote:
Charles--
What options are you using with 'grid-proxy-init' to get the
proxy
certificate properties below? How did you set the path length
constraint below? When I run the x509 query on my proxy cert it
doesn't indicate any of the options below ....
Ben--
You can use a sequence like this:
% grid-proxy-init -out /tmp/proxy.pem
% grid-cert-info -file /tmp/x509up_u501.pem
to see the X.509 extensions in the proxy certificate
Joe
