create and use a service certificate for oasis cron job


cosg16:marki:marki> openssl x509 -in /etc/grid-security/hostcert.pem -subject -issuer -dates -noout
subject= /DC=org/DC=opensciencegrid/O=Open Science Grid/OU=Services/
issuer= /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon OSG CA 1
notBefore=Mar 21 17:36:19 2017 GMT
notAfter=Apr 20 17:41:19 2018 GMT




OSG related notes

Running cronjob by hand succeeds where running from cron fails with proxy not generated.

  • GOC stands for Grid Operations Center
  • GOC ticket is a help request to the GOC

To install my personal grid certificate into Firefox 52.3.0:

  • preferences > advanced >view certificates > your certificates > import
  • choose “user_certificate_and_key.U228.p12”
  • enter certificate password


Installing JLab’s PKI certificate into Google Chrome

  • download certificate (.crt file) from
  • in chrome download box, click on open, should open certificate import dialog box
  • expand Details heading to check signature
  • click on Import at bottom of dialog box
  • provide your gnome2 keyword password, perhaps your login password when the nssdb directory was created under $HOME/.pki
  • in chrome settings, under advanced settings, HTTPS/SSL, clicking on Manage certificates…gets you nowhere


OpenShop Certificates at JLab for the SRM

On May 14 Richard added new host certificates to the appropriate directory under /apps/osg to account for some of the SRM server hosts at UConn licensed under “OpenShop”, his private label. Those will be changed in the future to refer to DigiCert as is more standard.

This was causing intermittent failures that depended on the number of files requested. If more than about 20 were in an SRM requested then it was likely that one of the untrusted servers would be involved and the transfer would bomb on the client side with no trace on the server except for a log entry indicating that the client had “canceled” the request.

installing an external ssl certificate on local box

Under Fedora 16.