Hi
[I don't know how many GridPP sites installed the SARoNGS certificates, but there might be some who
missed the announcement on NGS-OPERATIONS.]
The SARoNGS CA certificate expires on the 30th Nov (this Friday).
As its private key is stored inside an HSM we have issued a new (rather than extended)
Certificate, but it will have the same DN as before. This means:
* It will have a different fingerprint. Previous ones were:
[MD5] E5:F3:A1:8E:14:57:7F:DE:DE:5A:63:48:72:B6:90:0E
[SHA1] DB:1A:6C:5B:78:3E:02:86:70:0B:7D:39:17:C8:0E:49:1D:76:B2:72
New ones are
[MD5] 61:61:02:F3:03:0A:84:F0:9B:FE:7C:37:13:96:B2:B4
[SHA1] EC:1F:30:AF:67:0C:51:2C:6D:63:93:85:F4:3A:5E:F9:98:4A:AB:D1
* It will have the same hash (whether openssl 0.9.X or 1.0.Y) with resulting
Filenames: ccee1974.0 / 57a979d4.0
* It will have the same public (and private) key. This means that when we move
signing to use the new one then sites that haven't yet installed the new one
will authenticate things OK UNTIL 30th Nov. [this is my understanding]
If your Grid resource previous supported the SARoNGS CA certificate then it needs
to install the new one, otherwise it will lose those users.
You can obtain a tarball/rpm/etc containing the SARoNGS certificate (and the other
CA certificate that were approved for use with the NGS in the "NGS" labelled
files on
https://cert.ca.ngs.ac.uk/latest/
NB this tarball can be installed side by side with a standard IGTF-based release. It does NOT
include the UK eScience CA certificates.
Alternatively the appropriate (for your version of openssl) SARoNGS certificate can simply be downloaded
from the following, and can be used to over-write your existing one.
http://www.ngs.ac.uk/use/cacerts
Cheers
John Kewley
NES Support Centre Manager--
Scanned by iCritical.
|