Hi Jens,
I've just upgraded and this is what's left behind in the
/etc/grid-security/certificates/ directory
#> rpm -qa ca-policy-egi-core
ca-policy-egi-core-1.52-1.noarch
#> ls /etc/grid-security/certificates/UKeScience*2007*
/etc/grid-security/certificates/UKeScienceRoot-2007.crl_url
/etc/grid-security/certificates/UKeScienceRoot-2007.pem
/etc/grid-security/certificates/UKeScienceRoot-2007.info
/etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy
/etc/grid-security/certificates/UKeScienceRoot-2007.namespaces
cheers
alessandra
On 29/01/2013 11:34, Jens Jensen wrote:
> Dropping old CA certifiate (no valid certs, valid CRL)
> These files should go when you upgrade to 1.52:
> /etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*}
>
> It is most important to get rid of *.pem, *.0, and *.r0
>
> We can watch the CRLs for downloads, see which IP addresses they come from.
>
> The main (small) risk is that sites don't remove it (for some reason)
> and get hit by the silly test for "expired" at the end of March (at
> 23:59:59 UTC).
>
> There are associated changes in UKeScienceRoot-2007.namespaces and
> UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL
> download point in UKeScienceRoot-2007.crl_url. There is a slight risk
> that a bug has slipped through here, despite checking, due to some
> undocumented or non-testable "feature" in the code that uses these files.
>
> That's it. Any Qs or Cs?
>
> Cheers
> --jens
>
--
Facts aren't facts if they come from the wrong people. (Paul Krugman)
