 |
 |
Ah, so you expect them to still depend on the certificate itself rather than the DN. Good point, that will need updating. For everyone out there, the VOMS certificate is available here: http://ca.grid-support.ac.uk/pub/rollover/certs/5530.pem I am fairly confident that the whole scheme will work and also that it will be worth the effort, although given past experience some things will break, as they somehow always do, despite all the efforts to prevent breakage. There has been a lot of testing behind this. Thanks for pointing it out - can people who depend on the VOMS server certificate please ensure they have the above certificate installed? Thanks --jens Alessandra Forti wrote: > Hi Jens, > > we received a certificate also for the VOMS server. I suspect that this > might affect users using the GridPP VOMS, depending on how the UIs and > various services used are configured. We'll have to test it... > > cheers > alessandra > > Jensen, J (Jens) wrote: >> Dear all, >> >> As some of you may have heard, we are finally getting round to close >> down the old CA hierarchy (the one where an encrypted copy of the root's >> private key mysteriously went walkabout). >> >> Most users have long been moved over, for the remaining ones we decided >> to try out a new method: re-signing certificates under the new key pair. >> >> This method could make people's lives easier in the future because we >> can to a larger extent automate the process, like a certificate >> "subscription" - you simply get a new one when you need it. (RA will >> still be involved but I want to disassociate the RA approval step from >> the issuance step further.) >> >> My hidden agenda is to make the CA better able to scale to handling the >> large numbers of requests it's handling. This will have to be done in >> steps to avoid disrupting normal services. >> >> For more information about the current process, please refer to the >> following page: >> http://www.grid-support.ac.uk/content/view/399/1/ >> >> The users who have been "volunteered" for the trial have already been >> contacted (apart from some for whom the signing failed, they should >> receive theirs later today.) If you haven't been "volunteered", you >> don't need to do anything, the old certificates will automatically drop >> out of the distribution at the next release. >> >> The only gotcha is a bug in IE which I have one report about so far. >> For users with personal certificates in IE, they may have to do an old >> fashioned renewal. If I can replicate the bug, I will file a bug report >> with MS. >> >> Cheers >> --jens >> >