make-ca-signing-policy script
make-ca-signing-policy is a very simple script which can be used with Globus to build the ca-signing-policy.conf file which defines which Certificate Authorities will be trusted. With stock Globus 1.1.3 this file usually needs to be edited manually if multiple CA's are used. make-ca-signing-policy defines a (trivial) standard for making CA modules, either RPM's or tar files, which can be added and removed without interfering with those already installed.
Taking the Globus CA as an example, the CA installation mechanism needs to write two files to the $GLOBUS_INSTALL_PATH/share/certificates directory:
First, the file 42864e48.0 which contains the CA's certificate (since the filename is a hash of the certificate, it must not be changed.)
Secondly, the file policy.globusca.conf, whose name must be in the format policy.*.conf to allow wildcard matching in make-ca-signing-policy. This contains the token lines required by the Globus CA in the final ca-signing-policy.conf file. It's also a good idea to include some comments and a reference to the filename of the certificate for clarity.)
With these installed, the make-ca-signing-policy script should be run to rebuild ca-signing-policy.conf from ca-signing-policy.head and all the policy.*.conf files present in $GLOBUS_INSTALL_PATH/share/certificates. Once this is done, it also repeats the Globus deploy stage by copying ca-signing-policy.conf to $GLOBUS_DEPLOY_PATH/share/certificates
If the CA module is being installed by RPM, the files can be installed directly into $GLOBUS_INSTALL_PATH/share/certificates (ie listed in the SPEC's %files section) and make-ca-signing-policy run from %post and %postun (so that ca-signing-policy.conf is rebuilt minus this CA if it is uninstalled.) This provides a very clean mechanism for handling multiple CA's.
The ukhepca RPM, distributed by the UK HEP CA is an
example of this approach.
Last modified Wed 26 November 2003
. View page history
Switch to HTTPS
. Website Help
. Print View
. Built with GridSite 1.4.3