Project

General

Profile

Story #2468

Change how we use certificates in the CN

Added by Robert Waltz about 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
High
Assignee:
Ben Leinfelder
Category:
d1_cn_buildout
Target version:
Sprint-2012.17-Block.3.1
Start date:
2012-03-10
Due date:
% Done:

100%

Story Points:
Sprint:

Description

We will have two certificate files. One for use with D1Client, the other for use with Metacat replication.

The one for use with D1Client will become the subject of the CN in the nodelist.

They will both be stored in /etc/dataone/client/certs

during postinst of dataone-cn-os-core, they should both be shown during certificate selection time. But the correct one should be selected (wonder if we can make it a real selection instead of a text box)

The cert selected in dataone-cn-os-core postinst will become named in node.properties.

A similar process should be used for metacat...

Maybe we should just create a /etc/dataone/metacat directory and place the cert in there. Make it a lot easier for automated installs.

We have public keys published, and private keys elsewhere. We need them combined into the same pem for d1Client to interact.

combining them is not so important for metacat.

History

#1 Updated by Dave Vieglais about 12 years ago

  • Target version changed from Sprint-2012.09-Block.2.1 to Sprint-2012.11-Block.2.2
  • Position set to 13

#2 Updated by Dave Vieglais almost 12 years ago

  • Assignee changed from Robert Waltz to Chris Jones
  • Target version changed from Sprint-2012.11-Block.2.2 to Sprint-2012.17-Block.3.1

#3 Updated by Ben Leinfelder almost 12 years ago

  • Assignee changed from Chris Jones to Ben Leinfelder

#4 Updated by Ben Leinfelder almost 12 years ago

  • Status changed from New to Closed

There are now prompts for the Metacat certificate, private key, and optional key password during dataone-cn-metacat configuration. This is independent from the dataone-cn-os-core configuration that prompts for a single .pem that includes the dataone client certificate and private key in the single file.
for cn-dev* I've opted for these locations:

/etc/dataone/client/private/ -- contains the private key used by Metacat replication
/etc/dataone/client/certs/ -- contains both the Metacat replication certificate and also the combined DataONE-issued certifcate/privatekey pem file

Also, cn-buildout is now using the new DataONETestCA so all future deployments should use this CA or the final production CA when we get around to that.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)