Just to follow up from this! It turns out Sergey is using a certificate which is different from the one I had re-signed. His certificate is number 0x4026 and it is not affected by finalising the rollover. The certificate I had reissued was to a slightly different name: host/voms.gridpp.ac.uk, the one that Sergey is using is voms.gridpp.ac.uk, hence the confusion. So there is nothing wrong with the current VOMS certificate (0x4026). Many apologies for the confusion. --jens Jensen, J (Jens) wrote: > Ah, so you expect them to still depend on the certificate itself rather > than the DN. Good point, that will need updating. > > For everyone out there, the VOMS certificate is available here: > http://ca.grid-support.ac.uk/pub/rollover/certs/5530.pem > > I am fairly confident that the whole scheme will work and also that it > will be worth the effort, although given past experience some things > will break, as they somehow always do, despite all the efforts to > prevent breakage. There has been a lot of testing behind this. > > Thanks for pointing it out - can people who depend on the VOMS server > certificate please ensure they have the above certificate installed? > > Thanks > --jens > > Alessandra Forti wrote: >> Hi Jens, >> >> we received a certificate also for the VOMS server. I suspect that this >> might affect users using the GridPP VOMS, depending on how the UIs and >> various services used are configured. We'll have to test it... >> >> cheers >> alessandra >> >> Jensen, J (Jens) wrote: >>> Dear all, >>> >>> As some of you may have heard, we are finally getting round to close >>> down the old CA hierarchy (the one where an encrypted copy of the root's >>> private key mysteriously went walkabout). >>> >>> Most users have long been moved over, for the remaining ones we decided >>> to try out a new method: re-signing certificates under the new key pair. >>> >>> This method could make people's lives easier in the future because we >>> can to a larger extent automate the process, like a certificate >>> "subscription" - you simply get a new one when you need it. (RA will >>> still be involved but I want to disassociate the RA approval step from >>> the issuance step further.) >>> >>> My hidden agenda is to make the CA better able to scale to handling the >>> large numbers of requests it's handling. This will have to be done in >>> steps to avoid disrupting normal services. >>> >>> For more information about the current process, please refer to the >>> following page: >>> http://www.grid-support.ac.uk/content/view/399/1/ >>> >>> The users who have been "volunteered" for the trial have already been >>> contacted (apart from some for whom the signing failed, they should >>> receive theirs later today.) If you haven't been "volunteered", you >>> don't need to do anything, the old certificates will automatically drop >>> out of the distribution at the next release. >>> >>> The only gotcha is a bug in IE which I have one report about so far. >>> For users with personal certificates in IE, they may have to do an old >>> fashioned renewal. If I can replicate the bug, I will file a bug report >>> with MS. >>> >>> Cheers >>> --jens >>>