Exactly!
Except it doesn't have to be an "NGI" CA Operator, it can be any RA Operator whose DN is not in the same RA as the certificate in question. This "3rd party RA Op" should make it very clear in the reasons for revocation that it is a temporary request and the certificate owner should inform their RA Ops that this will be happening before it happens. The RA Op should then ignore it. Even if it was approved, you'd still have until signing to get an RA Op or CA Op to delete the request.
Cheers
JK
-----Original Message-----
From: Testbed Support for GridPP member institutes [mailto:[log in to unmask]] On Behalf Of John Hill
Sent: 26 March 2013 14:28
To: [log in to unmask]
Subject: Re: CertWizard + Java
Hi Daniela,
I can't comment on whether it is currently possible to request a new host certificate without revoking the old one - however there is a way forward if it isn't possible:
NGI requests a revokation of the certificate The RA does not act on this, which leaves the certificate in a strange limbo state, which allows you to request a new certificate Install the new certificate once it is signed Permit the RA to revoke the old certificate
This of course requires the RA to play along - but certainly at Cambridge the RA seems to take the view that if NGI is happy with the procedure, then so are they.
As I said at the start, this procedure may or may not be necessary - I'll know next week when I request some new host certificates.
John
> Hi,
>
> Just to come back to this. So the old scripts still work for renewal,
> but there seems to be no way to ask for a new cert without revoking
> the old one first. For obvious reasons I can't do this (short of
> taking the site down with it), so what is the suggestion to deal with
> this ?
>
> Cheers,
> Daniela
>
>
>
>
> On 20 March 2013 17:42, David Meredith <[log in to unmask]> wrote:
>
>> Hi Alessandra, all
>> Sure, this has been raised before: a scriptable CLI interface is on
>> our TODO list (update of our perl scripts +/- a cmd cli to CertWizard jars).
>> Thanks
>> David
>>
>>
>> > -----Original Message-----
>> > From: Testbed Support for GridPP member institutes [mailto:TB-
>> > [log in to unmask]] On Behalf Of Alessandra Forti
>> > Sent: 20 March 2013 17:11
>> > To: [log in to unmask]
>> > Subject: Re: CertWizard + Java
>> >
>> > On 20/03/2013 17:03, Stephen Jones wrote:
>> > > CertWizard has almost all of those attributes, but misses two
>> > > desirable ones - few dependencies (due to Java), and a simple
>> API/CLI
>> > > that is scriptable.
>> > I agree. I don't like it for these reasons either.
>> >
>> > --
>> > Facts aren't facts if they come from the wrong people. (Paul
>> > Krugman)
>> --
>> Scanned by iCritical.
>>
>
>
>
> --
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask]
> HEP Group/Physics Dep
> Imperial College
> Tel: +44-(0)20-75947810
> http://www.hep.ph.ic.ac.uk/~dbauer/
>
--
Scanned by iCritical.
|