We've just been through an exercise of renewing our grid certs -- which amounted to 50-odd certificates, so not really practical to do individually. The pecr/bulk tools work well enough, but we did have some hitches in getting a bulk ID set up (you need to contact the CA to set up the process and get a bulk ID before proceeding). Apparently though they are overhauling the system and it will soon be possible to apply for or renew certificates without first arranging for a bulk ID, which should make the whole process much easier. I guess we'll find out this time next year...
Rob
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Alessandra Forti
> Sent: 02 August 2011 23:18
> To: [log in to unmask]
> Subject: Re: Renewing grid certificates for servers
>
> When Manchester had dcache on the WNs we had 1000 to request and we
> used
> the PeCR tools. We used the bulk.pl tool with a null passphrase. When
> we
> eliminated dcache I passed the bucket and I know that the old sys admin
> had resorted to requesting the certs one at the time. It was clearly
> considered easier by them. I preferred going through the pain for all
> the certificates once a year instead even if the procedure is more
> complicated and requires interacting with the CA they never made it
> easier.
>
> cheers
> alessandra
>
>
> On 02/08/2011 21:43, Christopher J. Walker wrote:
> > How do other people renew host certificates?
> >
> > Currently to renew a certificate on one of our CEs/SEs/APEL etc
> > machines, I combine the private key and certificate into .p12 format,
> > load it into my browser and renew it over the web.
> >
> > This is all a bit of a pain - there's got to be a better way. I've
> > previously been pointed at
> http://wiki.ngs.ac.uk/index.php?title=PeCR
> >
> > AFAICT, with this tool it is possible (or at least documented) to use
> > the --server option to request a certificate without a passphrase,
> but
> > this doesn't work for a renewal.
> >
> > Chris
|