On Mon, Aug 11, 2008 at 12:37 PM, Charles Bacon <[EMAIL PROTECTED]> wrote:
> It's hard to debug without seeing the actual commands and output.
>
> 0) Where do you keep your certificate?
My real one is currently in the default location
~/.globus/usercred.p12. I've variously changed the proxy cred
location to ~/.globus/${USER}.pem via $X509_USER_CERT.
> 1) Show us the command (and output) you're using to get the proxy
grid-proxy-init:
Enter GRID pass phrase for this identity:
Your identity: /C=US/O=Maryland/OU=MPO/CN=xxxxxxxxx
Creating proxy .................................. Done
Your proxy is valid until: Tue Aug 12 05:17:57 2008
> 2) Show us the command (and output) you're using to check the extensions
grid-cert-info:
<snip>
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Subject Key Identifier:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
X509v3 Certificate Policies:
Policy: 2.16.840.1.101.2.1.11.7
</snip>
> 3) Show us the output of `which grid-proxy-init` and `which openssl`
/opt/globus/4.2.0/bin/grid-proxy-init
and
/opt/globus/4.2.0/bin/openssl
> 4) Send the output of grid-cert-diagnostics
Checking Environment Variables
==============================
Checking if X509_CERT_DIR is set... /etc/grid-security/certificates/
Checking if X509_USER_CERT is set... no
Checking if X509_USER_KEY is set... no
Checking if X509_USER_PROXY is set... no
Checking Security Directories
==============================
Determining trusted cert path... /etc/grid-security/certificates/
Checking for cog.properties... not found
Checking Default Credentials
==============================
Determining certificate and key file names... ok
Certificate Path: "/home/xxxx/.globus/usercred.p12"
Key Path: "/home/xxxx/.globus/usercred.p12"
Reading pkcs12 credentials
Enter GRID pass phrase for this identity:
ok
Checking Certificate Subject... "/C=US/O=Maryland/OU=MPO/CN=xxxxxxxxx"
Checking cert... ok
Checking key... ok
Checking that certificate contains an RSA key... ok
Checking that private key is an RSA key... ok
Checking that public and private keys have the same modulus... ok
Checking certificate trust chain... ok
Checking trusted certificates...
==============================
Getting trusted certificate list...
Checking CA file /etc/grid-security/certificates/xxxxxxxx.0... ok
Verifying certificate chain for
"/etc/grid-security/certificates/xxxxxxxx.0"... ok
Checking CA file /etc/grid-security/certificates/yyyyyyyy.0... ok
Verifying certificate chain for
"/etc/grid-security/certificates/yyyyyyyy.0"... ok
>
> Thanks,
>
> Charles
>
> On Aug 11, 2008, at 11:29 AM, I8abyte wrote:
>
>> BTW, I don't see any of those extensions on the proxy certs that I
>> generate (when I run grid-cert-info, "openssl x509" queries, etc.)
>>
>>
>> On Mon, Aug 11, 2008 at 12:19 PM, I8abyte <[EMAIL PROTECTED]> wrote:
>>>
>>> Thanks, I had to rephrase the question: as Charles alluded, how does
>>> one set the path length in the proxy cert? I tried the
>>> grid-proxy-init "-path-length" option but that doesn't help and I
>>> can't see how else to set it.
>>>
>>>
>>>
>>> On Mon, Aug 11, 2008 at 10:57 AM, Joseph Bester <[EMAIL PROTECTED]>
>>> wrote:
>>>>
>>>> On Aug 11, 2008, at 9:08 AM, I8abyte wrote:
>>>>
>>>>> Charles--
>>>>>
>>>>> What options are you using with 'grid-proxy-init' to get the proxy
>>>>> certificate properties below? How did you set the path length
>>>>> constraint below? When I run the x509 query on my proxy cert it
>>>>> doesn't indicate any of the options below ....
>>>>>
>>>>> Ben--
>>>>>
>>>>
>>>> You can use a sequence like this:
>>>> % grid-proxy-init -out /tmp/proxy.pem
>>>> % grid-cert-info -file /tmp/x509up_u501.pem
>>>> to see the X.509 extensions in the proxy certificate
>>>>
>>>> Joe
>>>>
>>>>
>>>
>
>
