Thank you very much for your replies. There is indeed a descrepency between the public keys produced from the the hostcert and hostkey, I'll take it with the CA directly offlist and see if we can sort it. cheers, Matt Jensen, J (Jens) wrote: > Here's how I test for it. Works in bash and zsh. From memory. > > cd /etc/grid-security > diff -q <(openssl x509 -pubkey -noout -in hostcert.pem) \ > <(openssl rsa -pubout -in hostkey.pem) > > Note that you may have a certificate which has been re-keyed (normal > renewal) and re-signed, extended under the new hierarchy. We tried > to guard against that, but there was a window where it could have > happened - no way of avoiding this except by taking the CA down for > days. > > So either of those certificates will work. But of course the one > you should use is the one that matches your private key. > > If you get stuck, you can extract the public key from your private key > and we can look it up in the CA's database to extract the certificates > themselves. But it's (much) easier to look up by DN. > > Cheers > --jens > > -----Original Message----- > From: Testbed Support for GridPP member institutes on behalf of Burke, S (Stephen) > Sent: Thu 31/07/2008 12:50 > To: [log in to unmask] > Subject: Re: Certificate/Key mismatch on rgma/bdii box > > >> You could try voms-proxy-init -verify, I'm not sure exactly what it >> checks but it spots my non-upgraded cert: >> > > And indeed with a mismatching cert and key: > > voms-proxy-init -verify -cert .globus/usercert-steve.pem -key > .globus/userkey.pem > Enter GRID pass phrase: > user key and certificate don't match > Function: proxy_init_cred > > Stephen >