1GRID-CERT-DIAGNOST(1)    Grid Community Toolkit Manual   GRID-CERT-DIAGNOST(1)
2
3
4

NAME

6       grid-cert-diagnostics - Print diagnostic information about certificates
7       and keys
8

SYNOPSIS

10       grid-cert-diagnostics [ -h | -help ]
11
12       grid-cert-diagnostics [ -p ] [ -n ] [ -c CERTIFICATE [-H HOSTNAME] [-m
13       { STRICT_GT2 | HYBRID | STRICT_RFC2818 }]]
14
15       grid-cert-diagnostics [ -s HOST[:PORT] | -g HOST[:PORT] ] [-m {
16       STRICT_GT2 | HYBRID | STRICT_RFC2818 }]
17

DESCRIPTION

19       The grid-cert-diagnostics program displays information about the
20       current user’s security environment, including information about
21       security-related environment variables, security directory search path,
22       personal key and certificates, and trusted certificates. It is intended
23       to provide information to help diagnose problems using GSIC.
24
25       By default, grid-cert-diagnostics prints out information regarding the
26       environment and trusted certificate directory. If the -p command-line
27       option is used, then additional information about the current user’s
28       default certificate and key will be printed.
29
30       The grid-cert-diagnostics program can also attempt do diagnose problems
31       connecting to remote GridFTP or SSL-based services.
32

OPTIONS

34       The full set of command-line options to grid-cert-diagnostics consists
35       of:
36
37       -h, -help
38           Display a help message and exit.
39
40       -p
41           Display information about the personal certificate and key that is
42           the current user’s default credential.
43
44       -n
45           Check time synchronization with the ntpdate command.
46
47       -c CERTIFICATE, -c -
48           Check the validity of the certificate in the file named by
49           CERTIFICATE or standard input if the parameter to -c is -.
50
51       -H HOSTNAME
52           When using the -c option above, check that the certificate’s
53           identity matches HOSTNAME.
54
55       -m STRICT_GT2 | HYBRID | STRICT_RFC2818
56           Use the specified mode when comparing host certificate names.
57
58       -s HOST[:PORT]
59           Connect to the service listening on HOST:PORT and initiate the TLS
60           protocol. Diagnostics will be printed containing the TLS / SSL
61           protocol version and available cipher list. The certificate chain
62           will be verified, and certificate subject name, issuer name, and
63           subjectAltName extensions will be printed. If the :PORT is omitted,
64           the default of 443 is used.
65
66       -g HOST[:PORT]
67           Similar to the -s option, but use the GridFTP protocol. The initial
68           GridFTP banner response is included in the diagnostic output. If
69           the :PORT is omitted, the default of 2811 is used.
70

EXAMPLES

72       In this example, we see the default mode of checking the default
73       security environment for the system, without processing the user’s key
74       and certificate. Note the user receives a warning about a
75       cog.properties and about an expired CA certificate.
76
77           % grid-cert-diagnostics
78
79           Checking Environment Variables
80           ==============================
81           Checking if X509_CERT_DIR is set... no
82           Checking if X509_USER_CERT is set... no
83           Checking if X509_USER_KEY is set... no
84           Checking if X509_USER_PROXY is set... no
85
86           Checking Security Directories
87           =======================
88           Determining trusted cert path... /etc/grid-security/certificates
89           Checking for cog.properties... found
90               WARNING: If the cog.properties file contains security properties,
91                        Java apps will ignore the security paths described in the GSI
92                        documentation
93
94           Checking trusted certificates...
95           ================================
96           Getting trusted certificate list...
97           Checking CA file /etc/grid-security/certificates/1c4f4c48.0... ok
98           Verifying certificate chain for "/etc/grid-security/certificates/1c3f2ca8.0"... ok
99           Checking CA file /etc/grid-security/certificates/9d8788eb.0... ok
100           Verifying certificate chain for "/etc/grid-security/certificates/9d8753eb.0"... failed
101               globus_credential: Error verifying credential: Failed to verify credential
102               globus_gsi_callback_module: Could not verify credential
103               globus_gsi_callback_module: The certificate has expired:
104               Credential with subject: /DC=org/DC=example/OU=grid/CN=CA has expired.
105
106       In this example, we show a user with a mismatched private key and
107       certificate:
108
109           % grid-cert-diagnostics -p
110
111           Checking Environment Variables
112           ==============================
113           Checking if X509_CERT_DIR is set... no
114           Checking if X509_USER_CERT is set... no
115           Checking if X509_USER_KEY is set... no
116           Checking if X509_USER_PROXY is set... no
117
118           Checking Security Directories
119           =======================
120           Determining trusted cert path... /etc/grid-security/certificates
121           Checking for cog.properties... not found
122
123           Checking Default Credentials
124           ==============================
125           Determining certificate and key file names... ok
126           Certificate Path: "/home/juser/.globus/usercert.pem"
127           Key Path: "/home/juser/.globus/userkey.pem"
128           Reading certificate... ok
129           Reading private key...
130           ok
131           Checking Certificate Subject...
132           "/O=Grid/OU=Example/OU=User/CN=Joe User"
133           Checking cert... ok
134           Checking key... ok
135           Checking that certificate contains an RSA key... ok
136           Checking that private key is an RSA key... ok
137           Checking that public and private keys have the same modulus... failed
138           Private key modulus: D294849E37F048C3B5ACEEF2CCDF97D88B679C361E29D5CB5
139           219C3E948F3E530CFC609489759E1D751F0ACFF0515A614276A0F4C11A57D92D7165B8
140           FA64E3140155DE448D45C182F4657DA13EDA288423F5B9D169DFF3822EFD81EB2E6403
141           CE3CB4CCF96B65284D92592BB1673A18354DA241B9AFD7F494E54F63A93E15DCAE2
142           Public key modulus : C002C7B329B13BFA87BAF214EACE3DC3D490165ACEB791790
143           600708C544175D9193C9BAC5AED03B7CB49BB6AE6D29B7E635FAC751E9A6D1CEA98022
144           6F1B63002902D6623A319E4682E7BFB0968DCE962CF218AAD95FAAD6A0BA5C42AA9AAF
145           7FDD32B37C6E2B2FF0E311310AA55FFB9EAFDF5B995C7D9EEAD8D5D81F3531E0AE5
146           Certificate and and private key don't match
147

AUTHOR

149       Copyright © 1999-2015 University of Chicago
150
151
152
153Grid Community Toolkit 6          03/31/2018             GRID-CERT-DIAGNOST(1)
Impressum