Are there any files like 367b75c3.* or 53729190.* ?
The ones below are Root ones not 2007 CA so they are expected to be there
JK
From: Testbed Support for GridPP member institutes [mailto:[log in to unmask]] On Behalf Of Alessandra Forti
Sent: Tuesday, January 29, 2013 11:39 AM
To: [log in to unmask]
Subject: Re: Changes in IGTF 1.52
Hi Jens,
I've just upgraded and this is what's left behind in the /etc/grid-security/certificates/ directory
#> rpm -qa ca-policy-egi-core
ca-policy-egi-core-1.52-1.noarch
#> ls /etc/grid-security/certificates/UKeScience*2007*
/etc/grid-security/certificates/UKeScienceRoot-2007.crl_url /etc/grid-security/certificates/UKeScienceRoot-2007.pem
/etc/grid-security/certificates/UKeScienceRoot-2007.info /etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy
/etc/grid-security/certificates/UKeScienceRoot-2007.namespaces
cheers
alessandra
On 29/01/2013 11:34, Jens Jensen wrote:
Dropping old CA certifiate (no valid certs, valid CRL)
These files should go when you upgrade to 1.52:
/etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*}
It is most important to get rid of *.pem, *.0, and *.r0
We can watch the CRLs for downloads, see which IP addresses they come from.
The main (small) risk is that sites don't remove it (for some reason)
and get hit by the silly test for "expired" at the end of March (at
23:59:59 UTC).
There are associated changes in UKeScienceRoot-2007.namespaces and
UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL
download point in UKeScienceRoot-2007.crl_url. There is a slight risk
that a bug has slipped through here, despite checking, due to some
undocumented or non-testable "feature" in the code that uses these files.
That's it. Any Qs or Cs?
Cheers
--jens
--
Facts aren't facts if they come from the wrong people. (Paul Krugman)
--
Scanned by iCritical.
|