Command Line Tool for Certificate Management Anand Padmanabhan - - PowerPoint PPT Presentation

▶

Mar 03, 2024 173 likes •343 views

Purpose vdt-ca-manage Tool Demo Conclusion Command Line Tool for Certificate Management Anand Padmanabhan CyberInfrastructure and Geospatial Information Laboratory (CIGI) National Center for Supercomputing Applications University of

SLIDE 1

Purpose vdt-ca-manage Tool Demo Conclusion

Command Line Tool for Certificate Management

Anand Padmanabhan

CyberInfrastructure and Geospatial Information Laboratory (CIGI) National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

OSG Site Administrators Meeting Nov 13, 2008

Anand Padmanabhan vdt-ca-manage

SLIDE 2

Purpose vdt-ca-manage Tool Demo Conclusion

Purpose of developing CA Manage tool

You need to the CA certificates for users to run jobs Facilitate management of CAs and CRLs Provide functionality to

inspect verify manage

CAs and CRLs installed at your site Provide a single interface to manage certificates

Work with CE or worker node installations

Anand Padmanabhan vdt-ca-manage

SLIDE 3

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Command Syntax

vdt-ca-manage [global_options] command global_options = [--vdt-location <location>] [--verbose] [--force] [--certDir <location>] [--help] [--version] [--autoRefresh] command = [status_command | manage_command] [<command_options>]

Anand Padmanabhan vdt-ca-manage

SLIDE 4

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Status Commands

showCAURL: Outputs the current CA distribution location.

Anand Padmanabhan vdt-ca-manage

SLIDE 5

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Status Commands

showCAURL: Outputs the current CA distribution location. listCA [–pattern <pattern>]: Lists all the CAs (in cert dir) that match the provided pattern.

Anand Padmanabhan vdt-ca-manage

SLIDE 6

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Status Commands

showCAURL: Outputs the current CA distribution location. listCA [–pattern <pattern>]: Lists all the CAs (in cert dir) that match the provided pattern. verify [–hash <hash> |–pattern <pattern>]: Checks the CA and CRL files of the specified/all CAs to verify they are valid (using openssl command). It also gives a warning if any CA or CRL are close to expiration.

Anand Padmanabhan vdt-ca-manage

SLIDE 7

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Status Commands

showCAURL: Outputs the current CA distribution location. listCA [–pattern <pattern>]: Lists all the CAs (in cert dir) that match the provided pattern. verify [–hash <hash> |–pattern <pattern>]: Checks the CA and CRL files of the specified/all CAs to verify they are valid (using openssl command). It also gives a warning if any CA or CRL are close to expiration. diffCAPackage: Prints the difference between CAs present in the certificate directory and the latest distribution from VDT/OSG.

Anand Padmanabhan vdt-ca-manage

SLIDE 8

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Status Commands

showCAURL: Outputs the current CA distribution location. listCA [–pattern <pattern>]: Lists all the CAs (in cert dir) that match the provided pattern. verify [–hash <hash> |–pattern <pattern>]: Checks the CA and CRL files of the specified/all CAs to verify they are valid (using openssl command). It also gives a warning if any CA or CRL are close to expiration. diffCAPackage: Prints the difference between CAs present in the certificate directory and the latest distribution from VDT/OSG. show [–certfile <cert>|–hash <hash>]: Prints the details of certificate using openssl x509 command.

Anand Padmanabhan vdt-ca-manage

SLIDE 9

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Status Commands

showCAURL: Outputs the current CA distribution location. listCA [–pattern <pattern>]: Lists all the CAs (in cert dir) that match the provided pattern. verify [–hash <hash> |–pattern <pattern>]: Checks the CA and CRL files of the specified/all CAs to verify they are valid (using openssl command). It also gives a warning if any CA or CRL are close to expiration. diffCAPackage: Prints the difference between CAs present in the certificate directory and the latest distribution from VDT/OSG. show [–certfile <cert>|–hash <hash>]: Prints the details of certificate using openssl x509 command. showChain [–certfile <cert>|–hash <hash>]: Outputs the trust chain of the certificate.

Anand Padmanabhan vdt-ca-manage

SLIDE 10

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Manage Commands

refreshCA: Downloads CA package from distribution URL as necessary. (uses vdt-update-certs)

Anand Padmanabhan vdt-ca-manage

SLIDE 11

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Manage Commands

refreshCA: Downloads CA package from distribution URL as necessary. (uses vdt-update-certs) fetchCRL: Download the latest CRL packages. (uses fetch-crl)

Anand Padmanabhan vdt-ca-manage

SLIDE 12

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Manage Commands

refreshCA: Downloads CA package from distribution URL as necessary. (uses vdt-update-certs) fetchCRL: Download the latest CRL packages. (uses fetch-crl) setCAURL [–url <URLlocation>]: Update the CA distribution URL.

Anand Padmanabhan vdt-ca-manage

SLIDE 13

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Manage Commands

refreshCA: Downloads CA package from distribution URL as necessary. (uses vdt-update-certs) fetchCRL: Download the latest CRL packages. (uses fetch-crl) setCAURL [–url <URLlocation>]: Update the CA distribution URL. add [–dir <localdir>] –hash <hash>: Adds either a new local CA or a previously removed CA.

Anand Padmanabhan vdt-ca-manage

SLIDE 14

Purpose vdt-ca-manage Tool Demo Conclusion Syntax Commands

Manage Commands

refreshCA: Downloads CA package from distribution URL as necessary. (uses vdt-update-certs) fetchCRL: Download the latest CRL packages. (uses fetch-crl) setCAURL [–url <URLlocation>]: Update the CA distribution URL. add [–dir <localdir>] –hash <hash>: Adds either a new local CA or a previously removed CA. remove –hash <hash>: Remove either a CA coming from the distribution or a previously included local CA.

Anand Padmanabhan vdt-ca-manage

SLIDE 15

Purpose vdt-ca-manage Tool Demo Conclusion

Demo

Brief Demo

Anand Padmanabhan vdt-ca-manage

SLIDE 16

Purpose vdt-ca-manage Tool Demo Conclusion

Command Line Tool for Certificate Management Anand Padmanabhan - - PowerPoint PPT Presentation

Command Line Tool for Certificate Management

Anand Padmanabhan

CyberInfrastructure and Geospatial Information Laboratory (CIGI) National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

OSG Site Administrators Meeting Nov 13, 2008

Purpose of developing CA Manage tool

You need to the CA certificates for users to run jobs Facilitate management of CAs and CRLs Provide functionality to

inspect verify manage

CAs and CRLs installed at your site Provide a single interface to manage certificates

Work with CE or worker node installations

Command Syntax

vdt-ca-manage [global_options] command global_options = [--vdt-location <location>] [--verbose] [--force] [--certDir <location>] [--help] [--version] [--autoRefresh] command = [status_command | manage_command] [<command_options>]

Status Commands

showCAURL: Outputs the current CA distribution location.

Status Commands

showCAURL: Outputs the current CA distribution location. listCA [–pattern <pattern>]: Lists all the CAs (in cert dir) that match the provided pattern.

Status Commands

Status Commands

Status Commands

Status Commands

Manage Commands

refreshCA: Downloads CA package from distribution URL as necessary. (uses vdt-update-certs)

Manage Commands

refreshCA: Downloads CA package from distribution URL as necessary. (uses vdt-update-certs) fetchCRL: Download the latest CRL packages. (uses fetch-crl)

Manage Commands

refreshCA: Downloads CA package from distribution URL as necessary. (uses vdt-update-certs) fetchCRL: Download the latest CRL packages. (uses fetch-crl) setCAURL [–url <URLlocation>]: Update the CA distribution URL.

Manage Commands

Manage Commands

Demo

Brief Demo

Conclusion

Highlights Useful tool to manage your certificate directory. A unified interface to

Add, remove, and update CAs Lookup CAs based on pattern or hash Lookup the trust chain of any certificate

Drawbacks Will not work for sites using yum/rpms to manage CAs

Dependent on vdt-update-certs, fetch-crl

Reference

https://twiki.grid.iu.edu/bin/view/Security/CAMgmtCommandLineTool