Certificate authorities

To enable mutual authentication and secure communication between the client and the QCG-Broker service set of trusted CA certificates must be copied either into the /etc/grid-security/certificates directory or configured individually for every user.

EGI IGTF CAs

Install EGI Accepted CA certificates (this also install the Polish Grid CA)

• Add appropriate YUM repository

  cat > /etc/yum.repos.d/egi-trustanchors.repo << EOF
  [EGI-trustanchors]
  name=EGI-trustanchors
  baseurl=http://repository.egi.eu/sw/production/cas/1/current/
  gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3
  gpgcheck=1
  enabled=1
  EOF
  

• Install certificates

  yum install ca-policy-egi-core
  

The above instruction is based on this  manual

PL-Grid Simpla-CA certificate (PL-Grid only)

• Add appropriate YUM repository

  cat > /etc/yum.repos.d/plgrid.repo << EOF
  [PLGRID-general]
  name=PLGRID general packages repository
  baseurl=http://software.plgrid.pl/packages/general/
  enabled=1
  metadata_expire=300
  gpgcheck=0
  EOF
  

• Install certificates

  yum install ca_PLGRID-SimpleCA
  

Certificate Revocation List - CLR

Configure the system to periodically update the information about revoked certificates.

• Add appropriate YUM repository

  cat > /etc/yum.repos.d/fetch-crl.repo << EOF
  [EUGRIDPMA-fetch-crl]
  name=EUGRIDPMA fetch-crl repository
  baseurl=https://dist.eugridpma.info/distribution/util/fetch-crl3/
  enabled=1
  metadata_expire=300
  gpgcheck=0
  EOF
  

• Install certificate revocation list fetching utility

  yum install fetch-crl
  

• Get fresh CRLs now

  /usr/sbin/fetch-crl 
  

• Install cron job for fetching CRLs

  cat > /etc/cron.daily/fetch-crl.cron << EOF
  #!/bin/sh 
  /usr/sbin/fetch-crl
  EOF
  

chmod a+x /etc/cron.daily/fetch-crl.cron