Today : Sat, 02 Mar 24 .


Fabric Management



edit SideBar


Page: Site.Sanctorum - Last Modified : Mon, 03 Dec 18

Sanctorum Howto

See certificate request instructions for new hosts in MwProblem.HostCertReq

All certificates are store in host using user fido

If the requested certificates are TERENA ones, use the DB to recover the hostkey.pem of the corresponding public hostcert.pem received via zipped mail from the DigiCert CA, e.g.:

mysql -h localhost -u root
mysql> use passtore;
mysql> SELECT id_hostpas,host,AES_DECRYPT(hostkey,'1lc@n3') AS crt FROM hostpas WHERE host = 'egi-cloud';

Certificates autorenewal

IMPORTANT NOTE: When doing a renew - one should renew ALL the certificates that are expiring, in this way avoiding to lose track of certificates that have to be renewed.

1. Run script when any certificates are expiring

cd /home/fido/new_sanctorum

This script:

  • checks when certificates are expiring;
  • sends a pre-formatted renewal mail to site admins for each expiring certificates;
  • backups old certificates in the oldcrt table.

Expiration limit can be set in sanctorum.conf (crt_TTL parameter; default value crt_TTL=21).

2. Send mail to local RA

Site admins have to check the mail inbox looking for mails just sent by and then:

  • edit the subject;
  • sign the mail;
  • forward to local RA (Fulvia Costa and Massimo Gravino, remember to put in CC;
  • reply to mail address check of CA.

3. Run script when CA notifies the renewal of any certificates


This script:

  • checks what certificates are missing in hostpas table;
  • downloads the renewed certificates directly from CA;
  • installs them in /etc/grid-security/ of the corresponding host;
  • notifies by mail.

IMPORTANT: Site admins only have to copy the renewed certificates to any needed path different from etc/grid-security/.

VERY IMPORTANT: VOMS server host certificate update needs a particular care; it has to be updated only when new ig-vomscerts-all rpm is deployed!!!

TROUBLESHOOTING: In case of failure e.g. due to ssh issues, adjust the ssh issue and then use ./ -putcrt

Add a host certificate (new host)

cd /home/fido/new_sanctorum
./ -a

Insert the username usually root
Insert the host name without the domain extension i.e. (prod-ce-03) and not (
After inserted a mail will be sent to site admins.
Remember to sign the mail and send the mail to local RA (Fulvia Costa and Massimo Gravino, remember to put in CC;

Host deletion

cd /home/fido/new_sanctorum
./ -d

This command definitively remove host from database (no backup will be done).

Copy certificate to a host (not the case of new certificate when it SHOULD be used the - step3.)

./ -putcrt

Insert the host name
After inserted the certificate will be copied in etc/grid-security/ of the corresponding host.

Powered by PmWiki
Skin by CarlosAB

looks borrowed from
More skins here