We should read the file names more carefully - it's the Root files which
are left behind, not the CA Certificate itself.
John
On 29/01/2013 11:52, Jens Jensen wrote:
> Curious - what happens if you do (say)
>
> rpm -qf /etc/grid-security/certificates/UKeScienceCA-2007.pem
>
> ...?
>
> Cheers
> --jens
>
>
> On 29/01/2013 11:38, Alessandra Forti wrote:
>> Hi Jens,
>>
>> I've just upgraded and this is what's left behind in the
>> /etc/grid-security/certificates/ directory
>>
>> #> rpm -qa ca-policy-egi-core
>> ca-policy-egi-core-1.52-1.noarch
>>
>> #> ls /etc/grid-security/certificates/UKeScience*2007*
>> /etc/grid-security/certificates/UKeScienceRoot-2007.crl_url
>> /etc/grid-security/certificates/UKeScienceRoot-2007.pem
>> /etc/grid-security/certificates/UKeScienceRoot-2007.info
>> /etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy
>> /etc/grid-security/certificates/UKeScienceRoot-2007.namespaces
>>
>> cheers
>> alessandra
>>
>>
>> On 29/01/2013 11:34, Jens Jensen wrote:
>>> Dropping old CA certifiate (no valid certs, valid CRL)
>>> These files should go when you upgrade to 1.52:
>>> /etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*}
>>>
>>> It is most important to get rid of *.pem, *.0, and *.r0
>>>
>>> We can watch the CRLs for downloads, see which IP addresses they come from.
>>>
>>> The main (small) risk is that sites don't remove it (for some reason)
>>> and get hit by the silly test for "expired" at the end of March (at
>>> 23:59:59 UTC).
>>>
>>> There are associated changes in UKeScienceRoot-2007.namespaces and
>>> UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL
>>> download point in UKeScienceRoot-2007.crl_url. There is a slight risk
>>> that a bug has slipped through here, despite checking, due to some
>>> undocumented or non-testable "feature" in the code that uses these files.
>>>
>>> That's it. Any Qs or Cs?
>>>
>>> Cheers
>>> --jens
>>>
>>
>>
>> --
>> Facts aren't facts if they come from the wrong people. (Paul Krugman)
>
>
> --
> Scanned by iCritical.
>
>
|