arcctl deploy ca-cert
New arcctl functionality to easily install CA certificate into /etc/grid-security/certificates.
Focus-cases are:
- running on igtf bundle, but one extra CA cert of needed
- transferring Test-CA certificates from ARC CE to client
deploy ca-cert input is juts a certificate file, URL to certifiacte file or even stdin.
arcctl takes the certificate, install it to x509_cert_dir, makes necessary hash-links, create signing policy file.
Other adjustments included:
- cleanup and refactoring of TestCA certificate generator
- bumping the key size and better hash in default Test CA settings to match current security requirement
-
arcctl test-ca infoto have a shortcut to Test CA certificate location or dumping it to stdout
Example 1: transferring Test CA certificate
[user@arc-ce ~]$ arcctl test-ca info -o ca-cert
-----BEGIN CERTIFICATE-----
MIIFyTCCA7GgAwIBAgIUeLkSbksS9r3raPvkT2rR0ep06X8wDQYJKoZIhvcNAQEM
BQAwdDETMBEGCgmSJomT8ixkARkWA29yZzEZMBcGCgmSJomT8ixkARkWCW5vcmR1
<output omitted>
TJ9f0I8ktHACLvLvJE9SIDWs2zPo8o4cmvLBAtxe+jaijn22THtpLLUSXt1ozexS
ZHGFtsUBuIoNzXoRXxJwkGBA1ZpLBbOpjyp6PzNcTPYFG51+EHTUMPkbfyQ5
-----END CERTIFICATE-----[root@client ~]# arcctl deploy ca-cert
[2024-10-25 21:40:50,328] [ARCCTL.ThirdParty.Deploy] [INFO] [726706] [Reading CA Certificate PEM data from stdin]
-----BEGIN CERTIFICATE-----
MIIFyTCCA7GgAwIBAgIUeLkSbksS9r3raPvkT2rR0ep06X8wDQYJKoZIhvcNAQEM
BQAwdDETMBEGCgmSJomT8ixkARkWA29yZzEZMBcGCgmSJomT8ixkARkWCW5vcmR1
<output omitted>
TJ9f0I8ktHACLvLvJE9SIDWs2zPo8o4cmvLBAtxe+jaijn22THtpLLUSXt1ozexS
ZHGFtsUBuIoNzXoRXxJwkGBA1ZpLBbOpjyp6PzNcTPYFG51+EHTUMPkbfyQ5
-----END CERTIFICATE-----
[2024-10-25 21:40:54,173] [ARCCTL.ThirdParty.Deploy] [INFO] [726706] [CA Certificate for /DC=org/DC=nordugrid/DC=ARC/O=TestCA/CN=ARC TestCA fdb0a5e3 is deployed successfully to /etc/grid-security/certificates/ARCTestCAfdb0a5e3.pem]Example 2 Installing extra certificate from URL:
[root@arc-ce ~]# arcctl deploy ca-cert --crt https://letsencrypt.org/certs/isrgrootx1.pem
[2024-10-25 21:50:33,766] [ARCCTL.ThirdParty.Deploy] [INFO] [726908] [CA Certificate for /C=US/O=Internet Security Research Group/CN=ISRG Root X1 is deployed successfully to /etc/grid-security/certificates/ISRGRootX1.pem]