X.509 File Locations

From GridSiteWiki

In Grid environments, X.509 certificates are usually stored in PEM format in files, in the following standard locations.

Table of contents

X.509 User Certificates

An End Entity Certificate issued by a Certification Authority is stored in $HOME/.globus/usercert.pem with the corresponding private key in $HOME/.globus/userkey.pem (which should have Unix permissions 0400.)

This location can be overridden by the environment variables X509_USER_CERT and X509_USER_KEY

X.509 Proxy Certificates

grid-proxy-init and voms-proxy-init create a proxy directly from the user's EEC, in the file /tmp/x509up_uUID where UID is the user's Unix userid on that machine. Some applications (including GridSite's htcp etc) look for proxies in a file of that name.

The environment variable X509_USER_PROXY may be used to override this location.

Certification Authorities

Self-signed CA X.509 root certificates are usually stored in /etc/grid-security/certificates, and should have filenames corresponding to the hash of their contents. The command c_rehash supplied with OpenSSL can be used to generate these, but most CAs distribute their CA root certificates with appropriate filenames already.

Host certificates

We recommend that host certificates and keys are stored in /etc/grid-security with filenames domain.name.cert.pem and domain.name.key.pem, both owned root.root and with permissions 0444 and 0400 respectively.

See also

Converting .p12 certificate files to PEM