diff --git a/6.2/admin/install/install_frag.adoc b/6.2/admin/install/install_frag.adoc index f94c26f1..2489edb1 100644 --- a/6.2/admin/install/install_frag.adoc +++ b/6.2/admin/install/install_frag.adoc @@ -137,9 +137,6 @@ build subsets of the Grid Community Toolkit: **gsi**:: Security Libraries and Tools -**gsi**:: - Security Libraries and Tools - **udt**:: Globus XIO UDT Driver diff --git a/6.2/gsic/grid-proxy-init-manual.adoc b/6.2/gsic/grid-proxy-init-manual.adoc index 3125143a..df65fa52 100644 --- a/6.2/gsic/grid-proxy-init-manual.adoc +++ b/6.2/gsic/grid-proxy-init-manual.adoc @@ -16,10 +16,10 @@ grid-proxy-init - Generate a new proxy certificate The **++grid-proxy-init++** program generates X.509 proxy certificates derived from the currently available certificate files. By default, this command generates a http://www.ietf.org/rfc/rfc3820.txt[RFC 3820] Proxy -Certificate with a 512 bit key valid for 12 hours in a file named +Certificate with a 2048 bit key valid for 12 hours in a file named ++/tmp/x509up_uUID++. Command-line options and variables can modify the format, strength, lifetime, and location of the generated proxy -certificate. . Command-line options and variables can modify the format, +certificate. Command-line options and variables can modify the format, strength, lifetime, and location of the generated proxy certificate. X.509 proxy certificates are short-lived certificates, signed usually by @@ -62,8 +62,8 @@ The full set of command-line options to **++grid-proxy-init++** are: **-valid 'HOURS':'MINUTES', -hours 'HOURS'**:: Create a certificate that is valid for 'HOURS' hours and 'MINUTES' minutes. If not specified, the default of twelve hours and no minutes is used. -**-cert 'CERTFILE', -key 'KEYFILE'**:: - Create a proxy certificate signed by the certificate located in ++CERTFILE++ using the key located in using the key located in ++KEYFILE++. If not specified the default certificate and key will be used. This overrides the values of environment variables described below.. If not specified the default certificate and key will be used. This overrides the values of environment variables described below. +**-cert 'CERTFILE' -key 'KEYFILE'**:: + Create a proxy certificate signed by the certificate located in ++CERTFILE++ using the key located in ++KEYFILE++. If not specified the default certificate and key will be used. This overrides the values of environment variables described below. When using a PKCS#12 keystore as source for certificate and key it must be provided as argument for both options. **-certdir 'CERTDIR'**:: Search 'CERTDIR' for trusted certificates if verifying the proxy certificate. If not specified, the default trusted certificate search path is used. This overrides the value of the ++X509_CERT_DIR++ environment variable @@ -72,7 +72,7 @@ The full set of command-line options to **++grid-proxy-init++** are: Write the generated proxy certificate file to 'PROXYPATH' instead of the default path of ++/tmp/x509up_uUID++.. **-bits 'BITS'**:: - When creating the proxy certificate, use a 'BITS' bit key instead of the default 512 bit keys. + When creating the proxy certificate, use a 'BITS' bit key instead of the default 2048-bit keys. **-policy 'POLICYFILE'**:: Add the certificate policy data described in 'POLICYFILE' as the ProxyCertInfo X.509 extension to the generated proxy certificate. @@ -121,7 +121,7 @@ and '-bits' command-line options to **++grid-proxy-init++**. For example: -------- -% grid-proxy-init -hours 8 -bits 1024 +% grid-proxy-init -hours 8 -bits 4096 Your identity: /DC=org/DC=example/CN=Joe User Enter GRID pass phrase for this identity: Creating proxy .................................. Done Your proxy is valid until: Thu Mar 17 23:48:05 2010 @@ -140,6 +140,8 @@ The following environment variables affect the execution of **++X509_USER_KEY++**:: Path to the key to use to sign the new proxy. +To use a PKCS#12 keystore instead of PEM files for certificate and key, both **++X509_USER_CERT++** and **++X509_USER_KEY++** have to point to the PKCS#12 keystore. + **++X509_CERT_DIR++**:: Path to the directory containing trusted certifiate certificates and signing policies. @@ -150,18 +152,19 @@ The following environment variables affect the execution of The following files affect the execution of **++grid-proxy-init++**: **++$HOME/.globus/usercert.pem++**:: - Default path to the certificate to use as issuer of the new proxy. + Default path to the certificate to use as issuer of the new proxy. If it exists it takes precendence over **++[...]/usercred.p12++** but also requires the presence of the matching key file (**++[...]/userkey.pem++**). **++$HOME/.globus/userkey.pem++**:: - Default path to the key to use to sign the new proxy. - + Default path to the key to use to sign the new proxy. If it exists it takes precendence over **++[...]/usercred.p12++** but also requires the presence of the matching certificate file (**++[...]/usercert.pem++**). +**++$HOME/.globus/usercred.p12++**:: + Default path to the PKCS#12 keystore that contains both the certificate to use as issuer of the new proxy and the key to use to sign the new proxy. To use a PKCS#12 keystore, neither **++[...]/usercert.pem++** nor **++[...]/userkey.pem++** must be present. == Compatibility == For more information about proxy certificate types and their compatibility in GT and GCT, see -http://dev.globus.org/wiki/Security/ProxyCertTypes[http://dev.globus.org/wiki/Security/ProxyCertTypes]. +https://web.archive.org/web/20130817025920/http://dev.globus.org/wiki/Security/ProxyCertTypes[https://web.archive.org/web/20130817025920/http://dev.globus.org/wiki/Security/ProxyCertTypes]. == See Also ==