Hmm, more in the SHA2 and jglobus story below. Any other related experience out there? Alan Begin forwarded message: From: Horst Severini <hs@nhn.ou.edu> Subject: useful information about bestman2 and SHA2 host certificates Date: September 13, 2014 at 2:56:49 AM GMT+1 To: <osg-sites@OPENSCIENCEGRID.ORG>, <usatlas-t2-l@lists.bnl.gov> Cc: <adt027@latech.edu>, <hs.greenw@phys.latech.edu> Reply-To: <hs@nhn.ou.edu> Hi all, since we just found out the hard way, I thought I'd send an email and warn people who may run up against the same issue fairly soon. This is documented somewhere, but I'm not sure how many people actually know about it -- at least I hadn't read it before. =) So the problem is that if you request a new hostcert on a RHEL6/SL6/CentOS6 machine with the latest openssl version installed, then the hostkey which that procedure produces won't work with bestman2; somehow the version of jglobus that bestman2 uses doesn't like it. The details are here: https://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallOSGBestmanS... In a nutshell, the solution seems to be to run the following command on the newly produced hostkey file: openssl rsa -in hostkey.pem -out hostkey.pem.old Then move the original hostkey.pem out of the way, rename hostkey.pem.old back to hostkey.pem, and then make a copy of that to bestman/bestman.key as well, as usual for bestman2. At least that worked for us, Joel Snow tested it. Thanks to Wei Yang for reminding us about this issue. By the way, the DigiCert certificate expiration reminder email system is currently being fixed, too -- well, it has been fixed, but this fix will most likely be deployed on September 23 during the monthly maintenance, so you may want to have a closer look at all your certificates as well and make sure none of them expire before that. We were also bitten by that. :) Cheers, Horst