> /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
I think this is the [old] sha1 authority
> /DC=ch/DC=cern/CN=CERN Grid Certification Authority
and this is the new sha2 one.
My guess is that this hierarchy came into use in IGTF 1.54 (we are now on 1.61).
Unlike the UK CA they took the approach of adding an additional certificate hierarachy.
Here is the summary of the CHANGEs for 1.54:
---
Changes from 1.53 to 1.54
-------------------------
(24 June 2013)
* Extended life time of Grid-KA CA (dd4b34ea) (DE)
* Added new CERN hierarchy for CERN IT/IS CA (SHA2 migration) (CH)
* Updated metadata for GridGermany DFN-CERT CAs (DE)
* Updated contact metadata for KEK (JP)
* Updated contact metadata for HKU (HK)
* Updated contact metadata for AIST (JP)
---
I'm guessing that the old CA is still fine, but some people *might* still have certs signed with the
old sha1 certificate for a few months yet as I don't know when they stopped issuing them.
I'm therefore guessing that both CAs need to be trusted and certs could come from either for another
month or so.
I'll check and see who knows.
Cheers
JK
|