You are here: Home Experiment Information US ATLAS Grid Development Certify -- A mass host certificate management tool.

Certify -- A mass host certificate management tool.

by jhover — last modified Mar 29, 2011 02:22 PM
Manage your entire site's host and service certificates with one tool.


Large grid sites now may have hundreds of systems running services that require a host certificate to operate. Some services running as non-privileged users require separate service-specific certificates, e.g. httpd. With most certificates expiring every year, the management of certificates is becoming an onerous administrative hassle.  To ease this burden, DOEgrids has enabled a programmatic interface to their certificate generation/renewal web application and allowed certain pre-approved users ("grid-admins") to instantaneously generate host certificates. Certify is a flexible, command-line tool for detecting expiring certificates and doing mass creation/renewal.



Certify should be run from a highly secure, limited access host. SSH key root access should be set up on all target hosts. A configuration file profiling all hosts that need host certificates is prepared. When the program is run, Certify connects to all listed hosts, checks the characteristics of existing certificates (names, expiration date, etc) or notes if it is absent. When appropriate, Certify then generates a request, and submits it to a CA (e.g. DOEgrids) for signing. Certify then retrieves the signed cert and places it on the target host, adjusting ownership and permissions as needed.



Current Features

  • A command line Python application.
  • Configuration is extremely flexible. Names, paths, ownership, permissions, expiration thresholds, etc. are all fully adjustable.
  • Core functionality is entirely object-oriented, so Certify could be integrated into a GUI/web application if needed.
  • Multi-threaded, so delays in processing one host don't interfere with others continuing to be handled.
  • Designed with a plugin architecture for flexible operation. E.g. one plugin makes self-signed certs while another uses the remote DOEgrids gridadmin interface.
  • Lists of hosts and their certificate characteristics are loaded via URI, so Certify can pull from another web app or database.
  • Highly secure. All interaction with remote hosts is over SSH secured by keys. Certificate requests are generated remotely so private keys never leave the computer they are to be deployed on.


Future Plans

  •  Release version 0.9.0 to public (currently at 0.8.3)
  • Respond to user feedback on features and bugs.
  • Release final candidate to VDT for inclusion in OSG.
  • Remove VDT cert-gridadmin dependency ( by interacting with the DOEgrids CA software directly).
  • Possibly allow management via local self-signing CA



Certify may be pulled from Subversion here:


Certify can be installed either as root or as a regular user. It should probably be run as an unprivileged user.The source repository is a standard Python distutils layout.

You can create an RPM for a root installation with 'python bdist_rpm'.

You can create a source distribution with 'python sdist'. From a source distribution you can install via 'python install --home=/path/to/homedir'. A home directory installation places the executable certify script in ~/bin, libraries in ~/lib/python, and other data in ~/share. You will need to add ~/lib/python to your PYTHONPATH for it to work. 

See the program documentation in the source for full information about configuration and operation.


Document Actions