Globus: GSI v2.0: CA Signing Policy
In the 1.1.x releases of the Globus Toolkit and the GSI software the signing polices for all CAs were stored in a single file ca-signing-policy.conf which resided in the certificates directory (under /etc/grid-security/ or in $GLOBUS_DEPLOY/share). With the release of version 2.0 of the GSI package the policy for each CA is now located in a seperate file named after the hash of the CA name[1] with the string .signing_policy appended. The contents of this file would be the same as what you would have inserted in ca-signing-policy.conf in the 1.1.x releases. For example, the signing policy for Globus CA is now kept in the file /etc/grid-security/certificates/42864e48.signing_policy This changes was done so that all the files for a new CA could be installed without affecting other files in the certificates directory. The file ca-signing-policy.conf is deprecated and no longer used. Sharing a trusted certificates directory between a 1.1.x and 2.0 installation If you want to use a trusted certificates directory for both a 1.1.x and a 2.0 Globus or GSI installation, you need to maintain both the ca-signing-policy.conf file and the policy files with the filenames based off of the hash of the CA name. In this situation ca-signing-policy.conf would be the concatenation of all the individual policy files. It is possible in this situation to make the individual policy files symbolic links to ca-signing-policy.conf. [1] To generate this hash, run the following command (replace ca_cert with the filename of the PEM file containing the CA certificate): openssl x509 -in ca_cert -hash -noout |