'\" t .\" Title: grid-cert-diagnostics .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 03/31/2018 .\" Manual: Grid Community Toolkit Manual .\" Source: Grid Community Toolkit 6 .\" Language: English .\" .TH "GRID\-CERT\-DIAGNOST" "1" "03/31/2018" "Grid Community Toolkit 6" "Grid Community Toolkit Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" grid-cert-diagnostics \- Print diagnostic information about certificates and keys .SH "SYNOPSIS" .sp \fBgrid\-cert\-diagnostics\fR [ \-h | \-help ] .sp \fBgrid\-cert\-diagnostics\fR [ \-p ] [ \-n ] [ \-c CERTIFICATE [\-H HOSTNAME] [\-m { STRICT_GT2 | HYBRID | STRICT_RFC2818 }]] .sp \fBgrid\-cert\-diagnostics\fR [ \-s HOST[:PORT] | \-g HOST[:PORT] ] [\-m { STRICT_GT2 | HYBRID | STRICT_RFC2818 }] .SH "DESCRIPTION" .sp The \fBgrid\-cert\-diagnostics\fR program displays information about the current user\(cqs security environment, including information about security\-related environment variables, security directory search path, personal key and certificates, and trusted certificates\&. It is intended to provide information to help diagnose problems using GSIC\&. .sp By default, \fBgrid\-cert\-diagnostics\fR prints out information regarding the environment and trusted certificate directory\&. If the \fI\-p\fR command\-line option is used, then additional information about the current user\(cqs default certificate and key will be printed\&. .sp The \fBgrid\-cert\-diagnostics\fR program can also attempt do diagnose problems connecting to remote GridFTP or SSL\-based services\&. .SH "OPTIONS" .sp The full set of command\-line options to \fBgrid\-cert\-diagnostics\fR consists of: .PP \fB\-h, \-help\fR .RS 4 Display a help message and exit\&. .RE .PP \fB\-p\fR .RS 4 Display information about the personal certificate and key that is the current user\(cqs default credential\&. .RE .PP \fB\-n\fR .RS 4 Check time synchronization with the ntpdate command\&. .RE .PP \fB\-c \fR\fB\fICERTIFICATE\fR\fR\fB, \-c \fR\fB\fI\-\fR\fR .RS 4 Check the validity of the certificate in the file named by \fICERTIFICATE\fR or standard input if the parameter to \fI\-c\fR is \fI\-\fR\&. .RE .PP \fB\-H \fR\fB\fIHOSTNAME\fR\fR .RS 4 When using the \fB\-c\fR option above, check that the certificate\(cqs identity matches HOSTNAME\&. .RE .PP \fB\-m \fR\fB\fISTRICT_GT2 | HYBRID | STRICT_RFC2818\fR\fR .RS 4 Use the specified mode when comparing host certificate names\&. .RE .PP \fB\-s \fR\fB\fIHOST[:PORT]\fR\fR .RS 4 Connect to the service listening on \fIHOST:PORT\fR and initiate the TLS protocol\&. Diagnostics will be printed containing the TLS / SSL protocol version and available cipher list\&. The certificate chain will be verified, and certificate subject name, issuer name, and subjectAltName extensions will be printed\&. If the \fI:PORT\fR is omitted, the default of \fI443\fR is used\&. .RE .PP \fB\-g \fR\fB\fIHOST[:PORT]\fR\fR .RS 4 Similar to the \fI\-s\fR option, but use the GridFTP protocol\&. The initial GridFTP banner response is included in the diagnostic output\&. If the \fI:PORT\fR is omitted, the default of \fI2811\fR is used\&. .RE .SH "EXAMPLES" .sp In this example, we see the default mode of checking the default security environment for the system, without processing the user\(cqs key and certificate\&. Note the user receives a warning about a cog\&.properties and about an expired CA certificate\&. .sp .if n \{\ .RS 4 .\} .nf % grid\-cert\-diagnostics .fi .if n \{\ .RE .\} .sp .if n \{\ .RS 4 .\} .nf Checking Environment Variables ============================== Checking if X509_CERT_DIR is set\&.\&.\&. no Checking if X509_USER_CERT is set\&.\&.\&. no Checking if X509_USER_KEY is set\&.\&.\&. no Checking if X509_USER_PROXY is set\&.\&.\&. no .fi .if n \{\ .RE .\} .sp .if n \{\ .RS 4 .\} .nf Checking Security Directories ======================= Determining trusted cert path\&.\&.\&. /etc/grid\-security/certificates Checking for cog\&.properties\&.\&.\&. found WARNING: If the cog\&.properties file contains security properties, Java apps will ignore the security paths described in the GSI documentation .fi .if n \{\ .RE .\} .sp .if n \{\ .RS 4 .\} .nf Checking trusted certificates\&.\&.\&. ================================ Getting trusted certificate list\&.\&.\&. Checking CA file /etc/grid\-security/certificates/1c4f4c48\&.0\&.\&.\&. ok Verifying certificate chain for "/etc/grid\-security/certificates/1c3f2ca8\&.0"\&.\&.\&. ok Checking CA file /etc/grid\-security/certificates/9d8788eb\&.0\&.\&.\&. ok Verifying certificate chain for "/etc/grid\-security/certificates/9d8753eb\&.0"\&.\&.\&. failed globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: The certificate has expired: Credential with subject: /DC=org/DC=example/OU=grid/CN=CA has expired\&. .fi .if n \{\ .RE .\} .sp In this example, we show a user with a mismatched private key and certificate: .sp .if n \{\ .RS 4 .\} .nf % grid\-cert\-diagnostics \-p .fi .if n \{\ .RE .\} .sp .if n \{\ .RS 4 .\} .nf Checking Environment Variables ============================== Checking if X509_CERT_DIR is set\&.\&.\&. no Checking if X509_USER_CERT is set\&.\&.\&. no Checking if X509_USER_KEY is set\&.\&.\&. no Checking if X509_USER_PROXY is set\&.\&.\&. no .fi .if n \{\ .RE .\} .sp .if n \{\ .RS 4 .\} .nf Checking Security Directories ======================= Determining trusted cert path\&.\&.\&. /etc/grid\-security/certificates Checking for cog\&.properties\&.\&.\&. not found .fi .if n \{\ .RE .\} .sp .if n \{\ .RS 4 .\} .nf Checking Default Credentials ============================== Determining certificate and key file names\&.\&.\&. ok Certificate Path: "/home/juser/\&.globus/usercert\&.pem" Key Path: "/home/juser/\&.globus/userkey\&.pem" Reading certificate\&.\&.\&. ok Reading private key\&.\&.\&. ok Checking Certificate Subject\&.\&.\&. "/O=Grid/OU=Example/OU=User/CN=Joe User" Checking cert\&.\&.\&. ok Checking key\&.\&.\&. ok Checking that certificate contains an RSA key\&.\&.\&. ok Checking that private key is an RSA key\&.\&.\&. ok Checking that public and private keys have the same modulus\&.\&.\&. failed Private key modulus: D294849E37F048C3B5ACEEF2CCDF97D88B679C361E29D5CB5 219C3E948F3E530CFC609489759E1D751F0ACFF0515A614276A0F4C11A57D92D7165B8 FA64E3140155DE448D45C182F4657DA13EDA288423F5B9D169DFF3822EFD81EB2E6403 CE3CB4CCF96B65284D92592BB1673A18354DA241B9AFD7F494E54F63A93E15DCAE2 Public key modulus : C002C7B329B13BFA87BAF214EACE3DC3D490165ACEB791790 600708C544175D9193C9BAC5AED03B7CB49BB6AE6D29B7E635FAC751E9A6D1CEA98022 6F1B63002902D6623A319E4682E7BFB0968DCE962CF218AAD95FAAD6A0BA5C42AA9AAF 7FDD32B37C6E2B2FF0E311310AA55FFB9EAFDF5B995C7D9EEAD8D5D81F3531E0AE5 Certificate and and private key don\*(Aqt match .fi .if n \{\ .RE .\} .SH "AUTHOR" .sp Copyright \(co 1999\-2015 University of Chicago