We have a tool for that in the globus-openssl-module-progs package called globus-update-certificate-dir which computes the new hashes for sites upgrading from 0.9 to 1.0 and makes those links
Joe On Sep 18, 2012, at 6:49 AM, Asher Spain <[email protected]> wrote: > Dear friends, > > I'm getting an error verifying the trust in CA due to OpenSSL. > I have created using SimpleCA a CA and install its files in my clients > without any problems. However, one of my clients can't verify the CA hash > because it is taking the CA hash as if it was using the old OpenSSL version > which used other hash type. I mean, > My CA has the following hash (which is created with OpenSSL 1.0.0e): c03c42ac > However, after installing it in the client (Ubuntu 11.10) and try to use > "grid-proxy-init -debug -verify" it can't verify it as it says it can't find > trust in the CA with hash a784f43d. > > I checked that the hash is asking me for is the same hash but calculated with > the old OpenSSL version of my CA: > openssl x509 -hash -noout < /etc/grid-security/certificates/c03c42ac.0 > -> c03c42ac > openssl x509 -subject_hash_old -noout < > /etc/grid-security/certificates/c03c42ac.0 > -> a784f43d > > I don't know how to solve this. I found a tool that converts old hash files > into new hash files (http://www.cilogon.org/openssl1) but mines are already > the new ones so it makes no change and the error remains. I have tried to > uninstall libssl0.9.8 but it uninstalls grid-proxy-utils as well and if > reinstall the package it installs libssl0.9.8. > What can I do to avoid this problem? > > Thanks in advance! > > Asier
