Globus: GSI v2.0: CA Signing Policy

• Changes since 1.1.x release
• Sharing a trusted certificates directory between a 1.1.x and 2.0 installation

Changes since 1.1.x release

In the 1.1.x releases of the Globus Toolkit and the GSI software the signing polices for all CAs were stored in a single file ca-signing-policy.conf which resided in the certificates directory (under /etc/grid-security/ or in $GLOBUS_DEPLOY/share).

With the release of version 2.0 of the GSI package the policy for each CA is now located in a seperate file named after the hash of the CA name[1] with the string .signing_policy appended. The contents of this file would be the same as what you would have inserted in ca-signing-policy.conf in the 1.1.x releases.

For example, the signing policy for Globus CA is now kept in the file /etc/grid-security/certificates/42864e48.signing_policy

This changes was done so that all the files for a new CA could be installed without affecting other files in the certificates directory.

The file ca-signing-policy.conf is deprecated and no longer used.

Sharing a trusted certificates directory between a 1.1.x and 2.0 installation

If you want to use a trusted certificates directory for both a 1.1.x and a 2.0 Globus or GSI installation, you need to maintain both the ca-signing-policy.conf file and the policy files with the filenames based off of the hash of the CA name. In this situation ca-signing-policy.conf would be the concatenation of all the individual policy files.

It is possible in this situation to make the individual policy files symbolic links to ca-signing-policy.conf.

[1] To generate this hash, run the following command (replace ca_cert with the filename of the PEM file containing the CA certificate):

openssl x509 -in ca_cert -hash -noout