Cabundle

Root CA certificate bundle

Normally, the set of root CA certificates trusted by the federation is handled by the Clearinghouse, and distributed automatically. However, individual federates are free to modify the bundle used locally.

Adding an extra CA certificate to the local bundle

To add another CA to the trusted set, you should obtain its certificate in PEM format, and save it (with a ".pem" suffix) under /usr/testbed/etc/genicacerts/local/. Then run /usr/testbed/sbin/protogeni/getcacerts to regenerate the local bundle. (These instructions assume the default prefix /usr/testbed.)

Adding an extra CA certificate to the federation-wide bundle

This is possible ONLY for clearinghouse sites; for normal federates, add the certificate locally, instead.

To distribute an extra certificate throughout the federation, save its certificate on the CH host under /usr/testbed/etc/genicacerts/. You will need to run /usr/testbed/sbin/protogeni/gencabundle to update the local site. The new certificate will be trusted there immediately, but it will not be available at other federates until it is next fetched (which can take up to 24 hours).

Deleting a certificate which has been added locally

You can undo the procedures above by removing the file from the certificates directory, and re-running the getcacerts or gencabundle script. In the case of the CH bundle, it can again take up to 24 hours for the modification to propagate.

Refusing a certificate from the CH bundle

This is not yet implemented, but it should be and will be...