Ashoka,

When you see an error like

"...Bad certificate (The signature of 'O=Grid,OU=GlobusTest,OU=simpleCA-medusa.tgen.org,CN=host/medusa.tgen.org' certificate does not match its issuer).."

This usually means that the host certificate (/etc/grid-security/hostcert.pem) or container certificate (/etc/grid-security/containercert.pem) were issued by a different certificate authority than the one currently in use.

My guess is that you are currently running in one of two states

1) host certificate and/or container certificate is from old certificate authority and new certificate authority is configured as default.

2) host certificate and/or container certificate is from new certificate authority and old certificate authority is configured as default.


When the new certificate authority was created, it should have created some new files in the /etc/grid-security/certificates directory. One of these files is the root certificate for the new CA. It should be of the form xxxxxxxx.0 where "xxxxxxxx" is an alphanumeric string that was generated during the certificate authority creation.

Does this file exist? If so, it is read-able by the globus user?

You can test if the current host certificate was signed by the a given certificate authority by running

   openssl verify -CAfile = /etc/grid-security/certificates/xxxxxxxx.0 /etc/grid-security/hostcert.pem

-where xxxxxxxx.0 is the root certificate for your CA.

If certificate was created by the certificate authority, you will see a message like
"hostcert.pem: OK"

You should test the root cert from both the old and the new certificate authority. In addition, you should run the same test with the containercert.pem


Lastly, you can view the certificate that is currently in use by the Globus Server by running

    openssl s_client -connect medusa.tgen.org:8443

-this command will output the entire certificate chain currently in use by the globus server. You can use this output to determine if this certificate was created by the old or new certificate authority.

(if you use the command "openssl x509 -in hostcert.pem -text -noout", it will output the certificate in text format. You can use this to compare to output of command above. )


What you want to ensure is that for the hostcert.pem/containercert.pem and user certificates you are using, the root certificate (ie one named xxxxxxxx.0) for the certificate authority which created these certificates is located in /etc/grid-security/certificates

-Brian