Provided by: globus-proxy-utils_7.3-2_amd64 bug

NAME

       grid-cert-diagnostics - Print diagnostic information about certificates and keys

SYNOPSIS

       grid-cert-diagnostics [ -h | -help ]

       grid-cert-diagnostics [ -p ] [ -n ] [ -c CERTIFICATE [-H HOSTNAME] [-m { STRICT_GT2 |
       HYBRID | STRICT_RFC2818 }]]

       grid-cert-diagnostics [ -s HOST[:PORT] | -g HOST[:PORT] ] [-m { STRICT_GT2 | HYBRID |
       STRICT_RFC2818 }]

DESCRIPTION

       The grid-cert-diagnostics program displays information about the current user’s security
       environment, including information about security-related environment variables, security
       directory search path, personal key and certificates, and trusted certificates. It is
       intended to provide information to help diagnose problems using GSIC.

       By default, grid-cert-diagnostics prints out information regarding the environment and
       trusted certificate directory. If the -p command-line option is used, then additional
       information about the current user’s default certificate and key will be printed.

       The grid-cert-diagnostics program can also attempt do diagnose problems connecting to
       remote GridFTP or SSL-based services.

OPTIONS

       The full set of command-line options to grid-cert-diagnostics consists of:

       -h, -help
           Display a help message and exit.

       -p
           Display information about the personal certificate and key that is the current user’s
           default credential.

       -n
           Check time synchronization with the ntpdate command.

       -c CERTIFICATE, -c -
           Check the validity of the certificate in the file named by CERTIFICATE or standard
           input if the parameter to -c is -.

       -H HOSTNAME
           When using the -c option above, check that the certificate’s identity matches
           HOSTNAME.

       -m STRICT_GT2 | HYBRID | STRICT_RFC2818
           Use the specified mode when comparing host certificate names.

       -s HOST[:PORT]
           Connect to the service listening on HOST:PORT and initiate the TLS protocol.
           Diagnostics will be printed containing the TLS / SSL protocol version and available
           cipher list. The certificate chain will be verified, and certificate subject name,
           issuer name, and subjectAltName extensions will be printed. If the :PORT is omitted,
           the default of 443 is used.

       -g HOST[:PORT]
           Similar to the -s option, but use the GridFTP protocol. The initial GridFTP banner
           response is included in the diagnostic output. If the :PORT is omitted, the default of
           2811 is used.

EXAMPLES

       In this example, we see the default mode of checking the default security environment for
       the system, without processing the user’s key and certificate. Note the user receives a
       warning about a cog.properties and about an expired CA certificate.

           % grid-cert-diagnostics

           Checking Environment Variables
           ==============================
           Checking if X509_CERT_DIR is set... no
           Checking if X509_USER_CERT is set... no
           Checking if X509_USER_KEY is set... no
           Checking if X509_USER_PROXY is set... no

           Checking Security Directories
           =======================
           Determining trusted cert path... /etc/grid-security/certificates
           Checking for cog.properties... found
               WARNING: If the cog.properties file contains security properties,
                        Java apps will ignore the security paths described in the GSI
                        documentation

           Checking trusted certificates...
           ================================
           Getting trusted certificate list...
           Checking CA file /etc/grid-security/certificates/1c4f4c48.0... ok
           Verifying certificate chain for "/etc/grid-security/certificates/1c3f2ca8.0"... ok
           Checking CA file /etc/grid-security/certificates/9d8788eb.0... ok
           Verifying certificate chain for "/etc/grid-security/certificates/9d8753eb.0"... failed
               globus_credential: Error verifying credential: Failed to verify credential
               globus_gsi_callback_module: Could not verify credential
               globus_gsi_callback_module: The certificate has expired:
               Credential with subject: /DC=org/DC=example/OU=grid/CN=CA has expired.

       In this example, we show a user with a mismatched private key and certificate:

           % grid-cert-diagnostics -p

           Checking Environment Variables
           ==============================
           Checking if X509_CERT_DIR is set... no
           Checking if X509_USER_CERT is set... no
           Checking if X509_USER_KEY is set... no
           Checking if X509_USER_PROXY is set... no

           Checking Security Directories
           =======================
           Determining trusted cert path... /etc/grid-security/certificates
           Checking for cog.properties... not found

           Checking Default Credentials
           ==============================
           Determining certificate and key file names... ok
           Certificate Path: "/home/juser/.globus/usercert.pem"
           Key Path: "/home/juser/.globus/userkey.pem"
           Reading certificate... ok
           Reading private key...
           ok
           Checking Certificate Subject...
           "/O=Grid/OU=Example/OU=User/CN=Joe User"
           Checking cert... ok
           Checking key... ok
           Checking that certificate contains an RSA key... ok
           Checking that private key is an RSA key... ok
           Checking that public and private keys have the same modulus... failed
           Private key modulus: D294849E37F048C3B5ACEEF2CCDF97D88B679C361E29D5CB5
           219C3E948F3E530CFC609489759E1D751F0ACFF0515A614276A0F4C11A57D92D7165B8
           FA64E3140155DE448D45C182F4657DA13EDA288423F5B9D169DFF3822EFD81EB2E6403
           CE3CB4CCF96B65284D92592BB1673A18354DA241B9AFD7F494E54F63A93E15DCAE2
           Public key modulus : C002C7B329B13BFA87BAF214EACE3DC3D490165ACEB791790
           600708C544175D9193C9BAC5AED03B7CB49BB6AE6D29B7E635FAC751E9A6D1CEA98022
           6F1B63002902D6623A319E4682E7BFB0968DCE962CF218AAD95FAAD6A0BA5C42AA9AAF
           7FDD32B37C6E2B2FF0E311310AA55FFB9EAFDF5B995C7D9EEAD8D5D81F3531E0AE5
           Certificate and and private key don't match

AUTHOR

       Copyright © 1999-2015 University of Chicago