ESGF CSR and Certificate Installation

If you want to install a commercial CA issued certificate:
esg-node --install-keypair When prompted for the cachain file, specify the chain file provided by your CA

If you wish to generate CSRs for a simpleCA CA certificate and/or web container certificate:
esg-node --generate-esgf-csrs

If you wish to install ESGF certificates:

1. untar the entire contents of the tarball you received from Lukasz/Prashanth/Sébastien into /etc/esgfcerts
2. esg-node --install-local-certs
3. If you also have locally issued certificates for the webcontainer:
   esg-node --install-keypair /etc/esgfcerts/hostcert.pem /etc/esgfcerts/hostkey.pem
   When prompted for the cachain file, specify /etc/esgfcerts/cachain.pem
4. If you have certificates for your webcontainer, issued by a commercial CA, ensure you have the following:
   a) Certificate and key files.
   b) CA chain file.
   Ensure that your CA chain file is complete with this command:
   openssl verify -verbose -purpose sslserver -CAfile
   You should simply get a one line response that looks like this:

If you have errors, your chain file is not complete. Contact your certificate provider for assistance, or email esgf_iwt@llnl.gov with 'Help needed with CA chainfile construction' in the subject line, attaching your public certificate (NOT KEY!!!) and the CA's certificate or the chain file that you have.

You can get this help text when you execute esg-node --cert-howto

Note: once you have a signed certificate for a node registered under a FQDN, it is valid for that FQDN until the expiry date. You may reuse the keypair (your private key and signed cert) even if you have to reinstall the node from scratch. However, you will need to generate a new CSR in advance of the certificates expiration or were to migrate your node installation to a different FQDN.