Since I am at Daresbury, John Kewley and I have taken advantage of being
in the same room to hack some CA.
Remember, you can always renew in CertWizard - in production.
We now also have code (in OpenCA, in **TEST** not prod'n) which will
accept renewal of host certificates without DNs VIA OPENCA.
The catch is that we are now breaking workflow - remember that we left
it to the owner to decide whether to keep email (renew) or to lose it
(new request).
So here's what we can do after an afternoon's hacking:
* Certificate has email in DN and is renewed => email is kept (as by the
Covenant, as before)
* Certificate does not have email in DN and is renewed =>
* If it's a PKCS#10 (CertWizard, IE), renewal is done correctly
(feature).
* If it's SPKAC (Firefox), the email is reintroduced into the DN! (bug)
New requests will be processed as before (should be). Now I am
wondering whether it is worth (a) fixing the remaining bug, the SPKAC
renewal one, or (b) we finally drop emails in DNs altogether, or (c) we
ignore the problem and ask people to use CW.
For (a), it'd take a bit of work, slightly subtle. For (b) it's need
some wider consultation. In the past year, only about 1/3 of DNs have
had their emails removed from DNs.
Remember the OpenCA stuff isn't deployed on the production system yet.
Currently the production system will not accept renewal of host
certificates without email addresses. CertWizard will do this happily,
because it bypasses the old OpenCA code and goes straight to the archive.
Cheers
--jens
On 20/02/2013 17:36, John Kewley wrote:
> There won't be a command line version of CertWizard, but we have a new version of PeCR "in the pipeline" which will of course be command line.
>
> JK
>
>> -----Original Message-----
>> From: Christopher J. Walker [mailto:[log in to unmask]]
>> Sent: Wednesday, February 20, 2013 5:35 PM
>> To: Testbed Support for GridPP member institutes
>> Cc: Kewley, John (STFC,DL,SC)
>> Subject: Re: problem to renew a host certificate
>>
>> On 20/02/13 16:33, John Kewley wrote:
>>>> It is recommended to use the Certificate Wizard for all renewals now, I
>>>> believe.
>>> Correct
>>>
>>>> The web site doesn't reflect this, I know - it ought to be
>>>> changed. I've renewed host certificates that way for several months now.
>>> If you go to
>>> https://ca.grid-support.ac.uk
>>>
>>> You get the following text in red writing:
>>>
>>> "CertWizard
>>> Please use the CertWizard for all User Certificate applications and renewals. The
>> process below should only be used for Host certificate requests."
>>> So apologies! This should be changed as we'd like to encourage people
>> requesting/renewing host certs to use CertWizard as well.
>> Are you planning to produce a command line version of CertWizard?
>>
>> Chris
--
Scanned by iCritical.
|