Hi,
I met a problem when I verified my proxy. Yes, I have created a
delegated proxy by globus proxy, but verifying it shew out a error.
Firstly, I have created my proxy by globus command 'grid-proxy-init',
and then I constructed by delegated proxy by standard openssl
commands:
SUBJ=`openssl x509 -noout -in $1 -subject | sed -e s'/subject= //'`
echo "SUBJECT=$SUBJ"
openssl req -new \
-nodes \
-keyout delegated-proxy.key \
-out delegated-proxy.req \
-newkey rsa:1024 \
-subj "$SUBJ/CN=proxy"
openssl x509 -req \
-CA proxy \
-CAkey proxy \
-in delegated-proxy.req \
-out delegated-proxy.crt \
-set_serial $RANDOM \
-sha1 \
-days 1
cat delegated-proxy.crt delegated-proxy.key proxy > delegated-proxy
However, when I verified the delegated-proxy, I got a error message:
Invalid CA certificate
Did you successfully create second delegated proxy? How to create?
Are there something wrong with my commands?
Thanks
Best Regards,
Ian
On 6/15/07, Christopher Kunz <[EMAIL PROTECTED]> wrote:
Ian jonhson schrieb:
> Hi,
>
> As we know, a user owned certificate can delegate his proxy to finish
> hit grid task. If the applications with user's proxy run in a node
> need to access remote data node, it have to create next level proxy by
> its current proxy.
>
> How to create next proxy? If you implement the codes only by Openssl,
> what should be paid attention ? I just know that next proxy should
> have a new DN attached with a serial number and new time stamp limited
> by original proxy.
>
> Could anybody give me some advices, or example codes?
>
There's only a couple things you need to watch:
1. Copy CN from old proxy and as you said, add another DN=proxy. Some Grid
components even add DN=limited proxy to denote that the proxy is supposed to be
the last derivation.
2. Depending on the implementation, the serial is not important, proxies aren't
revokable anyway. In Globus/gLite's GSI implementation, the serial is not
checked.
3. The new proxy must not have a smaller notBefore or a larger notAfter.
4. From what I observed, key length is not important either - the new proxy can
even have a bigger key length than the old one.
4. Sign the new proxy with the old one.
I used the example code from "Network security with OpenSSL":
http://www.oreilly.com/catalog/openssl/index.html
Check out the EX10-6 file from the example code tarball at
http://www.opensslbook.com/NSwO-1.3.tar.gz and you're all set (with some minor
modifications).
HTH,
--ck
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
