Here's how I test for it. Works in bash and zsh. From memory.
cd /etc/grid-security
diff -q <(openssl x509 -pubkey -noout -in hostcert.pem) \
<(openssl rsa -pubout -in hostkey.pem)
Note that you may have a certificate which has been re-keyed (normal
renewal) and re-signed, extended under the new hierarchy. We tried
to guard against that, but there was a window where it could have
happened - no way of avoiding this except by taking the CA down for
days.
So either of those certificates will work. But of course the one
you should use is the one that matches your private key.
If you get stuck, you can extract the public key from your private key
and we can look it up in the CA's database to extract the certificates
themselves. But it's (much) easier to look up by DN.
Cheers
--jens
-----Original Message-----
From: Testbed Support for GridPP member institutes on behalf of Burke, S (Stephen)
Sent: Thu 31/07/2008 12:50
To: [log in to unmask]
Subject: Re: Certificate/Key mismatch on rgma/bdii box
> You could try voms-proxy-init -verify, I'm not sure exactly what it
> checks but it spots my non-upgraded cert:
And indeed with a mismatching cert and key:
voms-proxy-init -verify -cert .globus/usercert-steve.pem -key
.globus/userkey.pem
Enter GRID pass phrase:
user key and certificate don't match
Function: proxy_init_cred
Stephen
|