Yes, of course - thanks, John! The Root-2007 should still be there!!
Not enough caffeine.
-j
On 29/01/2013 11:57, John Hill wrote:
> We should read the file names more carefully - it's the Root files
> which are left behind, not the CA Certificate itself.
>
> John
>
> On 29/01/2013 11:52, Jens Jensen wrote:
>> Curious - what happens if you do (say)
>>
>> rpm -qf /etc/grid-security/certificates/UKeScienceCA-2007.pem
>>
>> ...?
>>
>> Cheers
>> --jens
>>
>>
>> On 29/01/2013 11:38, Alessandra Forti wrote:
>>> Hi Jens,
>>>
>>> I've just upgraded and this is what's left behind in the
>>> /etc/grid-security/certificates/ directory
>>>
>>> #> rpm -qa ca-policy-egi-core
>>> ca-policy-egi-core-1.52-1.noarch
>>>
>>> #> ls /etc/grid-security/certificates/UKeScience*2007*
>>> /etc/grid-security/certificates/UKeScienceRoot-2007.crl_url
>>> /etc/grid-security/certificates/UKeScienceRoot-2007.pem
>>> /etc/grid-security/certificates/UKeScienceRoot-2007.info
>>> /etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy
>>> /etc/grid-security/certificates/UKeScienceRoot-2007.namespaces
>>>
>>> cheers
>>> alessandra
>>>
>>>
>>> On 29/01/2013 11:34, Jens Jensen wrote:
>>>> Dropping old CA certifiate (no valid certs, valid CRL)
>>>> These files should go when you upgrade to 1.52:
>>>> /etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*}
>>>>
>>>>
>>>> It is most important to get rid of *.pem, *.0, and *.r0
>>>>
>>>> We can watch the CRLs for downloads, see which IP addresses they
>>>> come from.
>>>>
>>>> The main (small) risk is that sites don't remove it (for some reason)
>>>> and get hit by the silly test for "expired" at the end of March (at
>>>> 23:59:59 UTC).
>>>>
>>>> There are associated changes in UKeScienceRoot-2007.namespaces and
>>>> UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL
>>>> download point in UKeScienceRoot-2007.crl_url. There is a slight risk
>>>> that a bug has slipped through here, despite checking, due to some
>>>> undocumented or non-testable "feature" in the code that uses these
>>>> files.
>>>>
>>>> That's it. Any Qs or Cs?
>>>>
>>>> Cheers
>>>> --jens
>>>>
>>>
>>>
>>> --
>>> Facts aren't facts if they come from the wrong people. (Paul Krugman)
>>
>>
>> --
>> Scanned by iCritical.
>>
>>
--
Scanned by iCritical.
|