1GRID-CERT-DIAGNOST(1) Grid Community Toolkit Manual GRID-CERT-DIAGNOST(1)
2
6 grid-cert-diagnostics - Print diagnostic information about certificates
7 and keys
8
10 grid-cert-diagnostics [ -h | -help ]
11 grid-cert-diagnostics [ -p ] [ -n ] [ -c CERTIFICATE [-H HOSTNAME] [-m
13 { STRICT_GT2 | HYBRID | STRICT_RFC2818 }]]
14 grid-cert-diagnostics [ -s HOST[:PORT] | -g HOST[:PORT] ] [-m {
16 STRICT_GT2 | HYBRID | STRICT_RFC2818 }]
17
19 The grid-cert-diagnostics program displays information about the
20 current user’s security environment, including information about
21 security-related environment variables, security directory search path,
22 personal key and certificates, and trusted certificates. It is intended
23 to provide information to help diagnose problems using GSIC.
24 By default, grid-cert-diagnostics prints out information regarding the
26 environment and trusted certificate directory. If the -p command-line
27 option is used, then additional information about the current user’s
28 default certificate and key will be printed.
29 The grid-cert-diagnostics program can also attempt do diagnose problems
31 connecting to remote GridFTP or SSL-based services.
32
34 The full set of command-line options to grid-cert-diagnostics consists
35 of:
36 -h, -help
38 Display a help message and exit.
39 -p
41 Display information about the personal certificate and key that is
42 the current user’s default credential.
43 -n
45 Check time synchronization with the ntpdate command.
46 -c CERTIFICATE, -c -
48 Check the validity of the certificate in the file named by
49 CERTIFICATE or standard input if the parameter to -c is -.
50 -H HOSTNAME
52 When using the -c option above, check that the certificate’s
53 identity matches HOSTNAME.
54 -m STRICT_GT2 | HYBRID | STRICT_RFC2818
56 Use the specified mode when comparing host certificate names.
57 -s HOST[:PORT]
59 Connect to the service listening on HOST:PORT and initiate the TLS
60 protocol. Diagnostics will be printed containing the TLS / SSL
61 protocol version and available cipher list. The certificate chain
62 will be verified, and certificate subject name, issuer name, and
63 subjectAltName extensions will be printed. If the :PORT is omitted,
64 the default of 443 is used.
65 -g HOST[:PORT]
67 Similar to the -s option, but use the GridFTP protocol. The initial
68 GridFTP banner response is included in the diagnostic output. If
69 the :PORT is omitted, the default of 2811 is used.
70
72 In this example, we see the default mode of checking the default
73 security environment for the system, without processing the user’s key
74 and certificate. Note the user receives a warning about a
75 cog.properties and about an expired CA certificate.
76 % grid-cert-diagnostics
78 Checking Environment Variables
80 ==============================
81 Checking if X509_CERT_DIR is set... no
82 Checking if X509_USER_CERT is set... no
83 Checking if X509_USER_KEY is set... no
84 Checking if X509_USER_PROXY is set... no
85 Checking Security Directories
87 =======================
88 Determining trusted cert path... /etc/grid-security/certificates
89 Checking for cog.properties... found
90 WARNING: If the cog.properties file contains security properties,
91 Java apps will ignore the security paths described in the GSI
92 documentation
93 Checking trusted certificates...
95 ================================
96 Getting trusted certificate list...
97 Checking CA file /etc/grid-security/certificates/1c4f4c48.0... ok
98 Verifying certificate chain for "/etc/grid-security/certificates/1c3f2ca8.0"... ok
99 Checking CA file /etc/grid-security/certificates/9d8788eb.0... ok
100 Verifying certificate chain for "/etc/grid-security/certificates/9d8753eb.0"... failed
101 globus_credential: Error verifying credential: Failed to verify credential
102 globus_gsi_callback_module: Could not verify credential
103 globus_gsi_callback_module: The certificate has expired:
104 Credential with subject: /DC=org/DC=example/OU=grid/CN=CA has expired.
105 In this example, we show a user with a mismatched private key and
107 certificate:
108 % grid-cert-diagnostics -p
110 Checking Environment Variables
112 ==============================
113 Checking if X509_CERT_DIR is set... no
114 Checking if X509_USER_CERT is set... no
115 Checking if X509_USER_KEY is set... no
116 Checking if X509_USER_PROXY is set... no
117 Checking Security Directories
119 =======================
120 Determining trusted cert path... /etc/grid-security/certificates
121 Checking for cog.properties... not found
122 Checking Default Credentials
124 ==============================
125 Determining certificate and key file names... ok
126 Certificate Path: "/home/juser/.globus/usercert.pem"
127 Key Path: "/home/juser/.globus/userkey.pem"
128 Reading certificate... ok
129 Reading private key...
130 ok
131 Checking Certificate Subject...
132 "/O=Grid/OU=Example/OU=User/CN=Joe User"
133 Checking cert... ok
134 Checking key... ok
135 Checking that certificate contains an RSA key... ok
136 Checking that private key is an RSA key... ok
137 Checking that public and private keys have the same modulus... failed
138 Private key modulus: D294849E37F048C3B5ACEEF2CCDF97D88B679C361E29D5CB5
139 219C3E948F3E530CFC609489759E1D751F0ACFF0515A614276A0F4C11A57D92D7165B8
140 FA64E3140155DE448D45C182F4657DA13EDA288423F5B9D169DFF3822EFD81EB2E6403
141 CE3CB4CCF96B65284D92592BB1673A18354DA241B9AFD7F494E54F63A93E15DCAE2
142 Public key modulus : C002C7B329B13BFA87BAF214EACE3DC3D490165ACEB791790
143 600708C544175D9193C9BAC5AED03B7CB49BB6AE6D29B7E635FAC751E9A6D1CEA98022
144 6F1B63002902D6623A319E4682E7BFB0968DCE962CF218AAD95FAAD6A0BA5C42AA9AAF
145 7FDD32B37C6E2B2FF0E311310AA55FFB9EAFDF5B995C7D9EEAD8D5D81F3531E0AE5
146 Certificate and and private key don't match
147
149 Copyright © 1999-2015 University of Chicago
150Grid Community Toolkit 6 03/31/2018 GRID-CERT-DIAGNOST(1)