h1. CN Client Certificate
The client certificate is used to authenticate the CN when connecting to other nodes and services.
The client certificate must have a subject equal to the NodeID.
For test environments, the certificate must be signed by the DataONETestIntCA.
The client certificate is installed under:
/etc/dataone/client
Files in that folder include:
@certs/{DNS-NAME}.pem@ : A server certificate signed by the appropriate DataONE intermediate CA.
@private/{DNS-NAME}.key@ : The key for the @certs/{DNS-NAME}.pem@ server certificate.
@private/{NODEID}.pem@ : The client certificate and key concatenated.
@private/{NODE_ID}.pem@ : Copy of @private/{NODEID}.pem@
where:
@DNS-NAME@ = the node DNS name
@NODEID@ = the node identifier for the node
@NODE_ID@ = the node identifier for the node with colons replaced with underscores
h2. Checking the CN Certificates
Use the c4 script, available at:
https://repository.dataone.org/software/tools/trunk/ca/c4
for example (run on cn-stage-unm-1):
vieglais@cn-stage-unm-1:~/bin$ sudo ./c4
Hostname : cn-stage-unm-1.test.dataone.org
cn.nodeId : urn:node:cnStageUNM1
Number of certificates : 2¶
Filename: /etc/dataone/client/private/urn_node_cnStageUNM1.pem
Serial : DA3263A2A12D00AB
Expires : Apr 30 02:40:28 2018 GMT
Issuer : DataONE Test Intermediate CA
Subject : urn:node:cnStageUNM1¶
Filename: /etc/dataone/client/private/urn:node:cnStageUNM1.pem
Serial : DA3263A2A12D00AB
Expires : Apr 30 02:40:28 2018 GMT
Issuer : DataONE Test Intermediate CA
Subject : urn:node:cnStageUNM1¶
Filename: /etc/dataone/client/certs/cn-stage-unm-1.test.dataone.org.pem
Serial : DA3263A2A12D005B
Expires : Jul 30 21:09:44 2015 GMT
Issuer : DataONE Test Intermediate CA
Subject : cn-stage-unm-1.test.dataone.org¶
Filename: /etc/ssl/certs/_.test.dataone.org.crt
Serial : 0751D5
Expires : Jul 13 20:18:24 2015 GMT
Issuer : RapidSSL CA
Subject : *.test.dataone.org¶
h2. Creating a New Client Certificate
Use the @ca@ script in @software/tools/trunk/ca@. For example, to create a new client certificate for cn-stage-orc-1::
./ca -c Test "urn:node:cnStageORC1"
The resulting key and cert can be packaged to a zip and uploaded to project.dataone.org::
./publish_cert {UID} "DataONETestIntCA/certs/urn:node:cnStageORC1"
where UID is the user id of the person that will be retrieving the certificate for installation.
h2. Installing a New Client Certificate
The following example assumes a node id of "urn:node:cnStageORC1". Adjust accordingly for the target.
Download the .zip package to the destination machine and unzip::
scp project.dataone.org:/var/www/users/vieglais/urn_node_cnStageORC1.zip .
unzip urn_node_cnStageORC1.zipCreate a backup of the existing client certificates::
sudo cp -r -p /etc/dataone/client /etc/dataone/client_$(date +%Y%m%d)
Copy the new certificate into place::
sudo cp urn_node_cnStageORC1/private/urn_node_cnStageORC1.pem /etc/dataone/client/private
sudo cp /etc/dataone/client/private/urn_node_cnStageORC1.pem "/etc/dataone/client/private/urn:node:cnStageORC1.pem"
sudo chmod 0640 /etc/dataone/client/private/urn*.pemRestart any dependent services.
