From memory we deprecated /host some time ago but allowed sites to request a renewal if they wanted. Since CertWizard was developed long after this it doesn't surprise me that it wasn't part of its spec.
What I can't remember is whether there was a time limit of support. Hence I cc Jens.
John
-----Original Message-----
From: Testbed Support for GridPP member institutes [mailto:[log in to unmask]] On Behalf Of John Kewley
Sent: 06 November 2012 11:23
To: [log in to unmask]
Subject: Re: "host/" prefix in server certs.
Since unadorned host certs are considered host certs then use of "host/" hasn't
been prevalent for a long time, although there are a smattering of host certificates with
the "host/" prefix still hanging around, presumably for historical reasons.
What is perhaps a better question is whether there is a use case for any of the other
service prefixes which were supported on the old web interface. These were typically used
when there were multiple services on the same machine, but I understand there are better
ways of doing that now.
Use cases could include the fact that your DN is embedded "all over the place"
and it would be a real pain getting all your users/references to change. This may be
the case for a VOMS or myproxy server for instance. I am not saying it'd be a compelling
use case, but it would be a reasonable point all the same.
I don't have any documentary evidence "to hand" about service prefixes being deprecated,
but maybe Jens or Mike Jones has that information.
Cheers
JK
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of John Hill
> Sent: Tuesday, November 06, 2012 11:05 AM
> To: [log in to unmask]
> Subject: Re: "host/" prefix in server certs.
>
> None of our host certificates have the "host/".
>
> John
>
> On 06/11/2012 10:46, Wahid Bhimji wrote:
> > Hi
> >
> > So when I tried to use the "Cert wizard" to renew my disk server
> > certificates I hit an error apparatnly due to the "host/"
> > Does anyone know if that is in fact needed or it is ok to use a cert
> > without that bit?
> >
> > The salient parts of my discussionwith the helpdesk are below.
> >
> > Wahid
> >
> > Begin forwarded message:
> >
> >> *From: *UK Grid Operations Support Centre <[log in to unmask]
> >> <mailto:[log in to unmask]>>
> >> *Subject: **sec_error_unknown_issuer error using firefox to renew host
> >> certificate ISSUE=15075 PROJ=1*
> >> *Date: *6 November 2012 10:41:00 GMT
> >> *To: *<[log in to unmask] <mailto:[log in to unmask]>>
> >> *Reply-To: *<[log in to unmask]
> >> <mailto:[log in to unmask]>>
> >>
> >> When replying, type your text above this line.
> >> ------------------------------------------------------------------------
> >> *Notification of Query Change*
> >>
> >> The following reply has been supplied for query [GOSC
> >> 15075].
> >>
> >>
> >> *Status: * Agent Replied *Creation Date: *
> 05/11/2012
> >>
> >>
> >> *Query Content:*
> >> /Entered on 06/11/2012 at 10:41:29 GMT (GMT+0000) by John Kewley:/
> >> OK thanks
> >>
> >> I agree it would be better if it worked on OS/X, but we have spent our
> >> development on CertWizard so we don't have to support every browser on
> >> every OS.
> >>
> >> Are you sure you need the "host/" prefix? If you have a use-case we'd
> >> be pleased to hear it - that browser interface won't be around for
> >> that long
> >> so we do need to find out if anyone does indeed have any requirements
> >> for a service certificate.
> >>
> >> Cheers
> >>
> >> JK
> >>
> >>
> >> On 6 Nov 2012, at 09:41, UK Grid Operations Support Centre
> >> <[log in to unmask] <mailto:[log in to unmask]>> wrote:
> >>
> >> > [Duplicate message snipped]
> >>
> >> /Entered on 06/11/2012 at 09:41:26 GMT (GMT+0000) by John Kewley:/
> >> The use of a service has prefix (especially the host/ prefix) has been
> >> pretty much deprecated by the community some time ago so we haven't
> >> added support for it in CertWizard.
> >>
> >> Your error message doesn't look too friendly though, sorry about that.
> >>
> >> if you don't still require that exact DN then you can request a new
> >> certificate without the prefix using CertWizard - this is likely your
> >> easiest option ... unless you need that prefix for something.
> >>
> >> ... or you should be able to still use Firefox to renew it. Can you
> >> you detail the steps you are doing in FF?
> >>
> >> cheers
> >>
> >> JK
> >>
> >> /Entered on 06/11/2012 at 09:20:26 GMT (GMT+0000) by
> >> [log in to unmask] <mailto:[log in to unmask]>:/
> >> Subject: Re: sec_error_unknown_issuer error using firefox to renew
> >> host certificate ISSUE=15075 PROJ=1
> >> To: <[log in to unmask] <mailto:[log in to unmask]>>
> >> From: Wahid Bhimji <[log in to unmask]
> >> <mailto:[log in to unmask]>>
> >>
> >> Right I tried the cert wizard and I got this message
> >> "Server responded an error: For user cert requests, the CN should be
> >> lowercase of the form 'firstname surname' (single space separator).
> >> For hostcert requests, the CN should be a valid lowercase DNS domain
> >> name. [Accepted (202) - The request has been accepted for processing,
> >> but the processing has not been completed]"
> >>
> >> Is it possible to use the cert wizard or not - what does that message
> >> mean.
> >> The DN is
> >> [log in to unmask]
> >> <mailto:[log in to unmask]>,
> >> CN=host/pool3.glite.ecdf.ed.ac.uk, L=NeSC, OU=Edinburgh, O=eScience,
> C=UK
> >> CN=UK e-Science CA 2B, OU=Authority, O=eScienceCA, C=UK
> >>
> >> I need to get this resolved very soon as the cert will expire next week
> >>
> >> Wahid
> >>
> >
> >
> >
> > The University of Edinburgh is a charitable body, registered in
> > Scotland, with registration number SC005336.
> >
--
Scanned by iCritical.
--
Scanned by iCritical.
|