![[Go to /lcg-ca/]](/lcg.gif)
About
LCG
IGTF
EUGridPMA
Related
EGI CA repository
EGI feeder link
LHC Computing Grid trust anchor (CA) distribution
Welcome and thanks for your interest in these pages. On this site you will find the technical implementation of the WLCG Policy on Approved Certification Authorities, as drafted by the Joint Security Policy Group and endorsed by the WLCG Management Board. For compatibility purposes, the packages from the EGI distribution are mirrored here, so that if you need to obtain CAs from both policies, you can do this from a single source.
| Important Notice for sites in EGI that support WLCG Your should install BOTH "egi-core" AND "lcg" meta-packages, according to your policies. Note that your organisation or NGI may also have a specific policy and may have added or removed CAs compared to the EGI core policy. Sites that need compliance with the WLCG policy should install BOTH packages, or you will miss out the CERN WLCG IOTA CA specific exception see https://documents.egi.eu/document/2745 for details and the WLCG statement http://lcg-ca.web.cern.ch/lcg-ca/doc/WLCG-CERN-IOTA-statement-MB.pdf. |
- Current CA Distribution (persistent link, currently to version 1.130-1)
Version 1.130-1 and change log
The current version of the LCG trust anchor distribution is 1.130-1, based on the IGTF release with the same version. This distribution was built on 2024-07-06. The change log is part of the distribution, and can be found here.
* resolve subjnectDN nameformat compatibility issues trust anchor metadata IMPORTANT NOTICE: In the future releases we will move to a NEW RSA-2048 GPG PACKAGE SIGNING key. The new public key file, GPG-KEY-EUGridPMA-RPM-4, is distributed with this and subsequent releases. You can retrieve the new public key file from https://dl.igtf.net/distribution/GPG-KEY-EUGridPMA-RPM-4 Ensure this key is installed now as a trusted key for package signing!
How to download and install the distribution
To set up the installation via yum you need to set up your yum repository in yum.conf (or add this file to yum.repos.d):
[LCG-trustanchors]
name=LCG-trustanchors
baseurl=http://cern.ch/lcg-ca/distribution/current/
gpgkey=http://cern.ch/lcg-ca/distribution/current/GPG-KEY-EUGridPMA-RPM-3
gpgcheck=1
enabled=1
Then do the updating from any other repository via
name=LCG-trustanchors
baseurl=http://cern.ch/lcg-ca/distribution/current/
gpgkey=http://cern.ch/lcg-ca/distribution/current/GPG-KEY-EUGridPMA-RPM-3
gpgcheck=1
enabled=1
# yum update lcg-CA
To install afresh, if you have configured yum appropriately you can do
# yum install ca-policy-lcg
(add a "ca-policy-egi-core" to also get the EGI list, or us ethe historic
"lcg-CA" to get both) to update/install the CAs. Occasionally, in case
the yum cache is not
updated properly one might need to perform manual cleaning with the command:
# yum clean cache metadata
If you want to install the packages manually from RPMs, go to
.../RPMS/, whereas you can find the
tar-balls fo the individual CAs in
.../tgz/. Of course,
the tar-based distribution will not do dependency management or automatic
upgrades. Please review the release notes to look for packages that have
been withdrawn.
Quattor templates
Quattor templates for QWG use can be found distribution/current/meta/ca-policy-lcg.tpl, and in CDB format at distribution/current/meta/pro_software_meta_ca_policy_lcg.tpl.mod_ssl timeout workaround
We provide here a workaround for the issue summarised in comment #57 of bug #48458. The following rpm has been added to the repository: dummy-ca-certs-20090630-1.noarch.rpm. Please note that:- This rpm is not added to the lcg-CA metapackage dependencies.
- If you want to install it you should run: yum install dummy-ca-certs
Comments to David Groep.