How to renew host certificates

It should be described at https://twiki.cern.ch/twiki/bin/view/FIOgroup/Certproc

But as a summary, what has to be done is:

1. Request a new certificate for each machine (it's suppossed that you have a user certificate).

Connect to your AFS account in lxadm cluster and type:

host-certificate-manager --from hep-service-lfc@cernNOSPAMPLEASE.ch hostname_of_the_machine (if this is for several host, we put all of them at the end separated by a space)

When returned from the CA, move the hostcert.pem file to the appropriate subdirectory in your ~/certificates dir, overwritting the existing dummy file.

2. Update CDB to enable SINDES:

In lxadm, type:

cdbop (this will ask for your NICE login/pwd)

get profile_yourHostName

!vi profile_yourHostName.tpl

and add the following lines to enable SINDES in the machine:

# yourLogin - date - Enable SINDES:
"/software/components/sindes/items/grid-host-certificates" =
        nlist("method","file","scope","node","path","/etc/grid-security");
"/software/components/sindes/all" =
        if (is_defined(self)) self + ",grid-host-certificates"
        else "grid-host-certificates";

update profile_yourHostName.tpl

commit

That will update and commit those changes to CDB.

3. Deploy the signed certificates using Sindes typing:

host-certificate-manager --sindes yourHostNamesSeparatedBySpaces

Then go to your node/s and type:

ccm-fetch

ncm-ncd --co sindes

Now your grid certificate should be sucessfully deployed in /etc/grid-security.

-- Main.dcollado - 25 Aug 2006