NAME
grid-cert-diagnostics - Print diagnostic information about certificates
and keys
SYNOPSIS
grid-cert-diagnostics [-h] | [-help] [-p]
DESCRIPTION
The grid-cert-diagnostics program displays information about the
current user´s security environment, including information about
security-related environment variables, security directory search path,
personal key and certificates, and trusted certificates. It is intended
to provide information to help diagnose problems using GSIC.
By default, grid-cert-diagnostics prints out information regarding the
environment and trusted certificate directory. If the -p command-line
option is used, then additional information about the current user´s
default certificate and key will be printed.
The full set of command-line options to grid-cert-diagnostics consists
of:
-h, -help
Display a help message and exit.
-p
Display information about the personal certificate and key that is
the current user´s default credential.
EXAMPLES
In this example, we see the default mode of checking the default
security environment for the system, without processing the user´s key
and certificate. Note the user receives a warning about a
cog.properties and about an expired CA certificate.
% grid-cert-diagnostics
Checking Environment Variables
==============================
Checking if X509_CERT_DIR is set... no
Checking if X509_USER_CERT is set... no
Checking if X509_USER_KEY is set... no
Checking if X509_USER_PROXY is set... no
Checking Security Directories
=======================
Determining trusted cert path... /etc/grid-security/certificates
Checking for cog.properties... found
WARNING: If the cog.properties file contains security properties,
Java apps will ignore the security paths described in the GSI
documentation
Checking trusted certificates...
================================
Getting trusted certificate list...
Checking CA file /etc/grid-security/certificates/1c4f4c48.0... ok
Verifying certificate chain for "/etc/grid-security/certificates/1c3f2ca8.0"... ok
Checking CA file /etc/grid-security/certificates/9d8788eb.0... ok
Verifying certificate chain for "/etc/grid-security/certificates/9d8753eb.0"... failed
globus_credential: Error verifying credential: Failed to verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: The certificate has expired:
Credential with subject: /DC=org/DC=example/OU=grid/CN=CA has expired.
In this example, we show a user with a mismatched private key and
certificate:
% grid-cert-diagnostics -p
Checking Environment Variables
==============================
Checking if X509_CERT_DIR is set... no
Checking if X509_USER_CERT is set... no
Checking if X509_USER_KEY is set... no
Checking if X509_USER_PROXY is set... no
Checking Security Directories
=======================
Determining trusted cert path... /etc/grid-security/certificates
Checking for cog.properties... not found
Checking Default Credentials
==============================
Determining certificate and key file names... ok
Certificate Path: "/home/juser/.globus/usercert.pem"
Key Path: "/home/juser/.globus/userkey.pem"
Reading certificate... ok
Reading private key...
ok
Checking Certificate Subject...
"/O=Grid/OU=Example/OU=User/CN=Joe User"
Checking cert... ok
Checking key... ok
Checking that certificate contains an RSA key... ok
Checking that private key is an RSA key... ok
Checking that public and private keys have the same modulus... failed
Private key modulus: D294849E37F048C3B5ACEEF2CCDF97D88B679C361E29D5CB5
219C3E948F3E530CFC609489759E1D751F0ACFF0515A614276A0F4C11A57D92D7165B8
FA64E3140155DE448D45C182F4657DA13EDA288423F5B9D169DFF3822EFD81EB2E6403
CE3CB4CCF96B65284D92592BB1673A18354DA241B9AFD7F494E54F63A93E15DCAE2
Public key modulus : C002C7B329B13BFA87BAF214EACE3DC3D490165ACEB791790
600708C544175D9193C9BAC5AED03B7CB49BB6AE6D29B7E635FAC751E9A6D1CEA98022
6F1B63002902D6623A319E4682E7BFB0968DCE962CF218AAD95FAAD6A0BA5C42AA9AAF
7FDD32B37C6E2B2FF0E311310AA55FFB9EAFDF5B995C7D9EEAD8D5D81F3531E0AE5
Certificate and and private key don´t match
AUTHOR
University of Chicago