Hi Jens, I've just upgraded and this is what's left behind in the /etc/grid-security/certificates/ directory #> rpm -qa ca-policy-egi-core ca-policy-egi-core-1.52-1.noarch #> ls /etc/grid-security/certificates/UKeScience*2007* /etc/grid-security/certificates/UKeScienceRoot-2007.crl_url /etc/grid-security/certificates/UKeScienceRoot-2007.pem /etc/grid-security/certificates/UKeScienceRoot-2007.info /etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy /etc/grid-security/certificates/UKeScienceRoot-2007.namespaces cheers alessandra On 29/01/2013 11:34, Jens Jensen wrote: > Dropping old CA certifiate (no valid certs, valid CRL) > These files should go when you upgrade to 1.52: > /etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*} > > It is most important to get rid of *.pem, *.0, and *.r0 > > We can watch the CRLs for downloads, see which IP addresses they come from. > > The main (small) risk is that sites don't remove it (for some reason) > and get hit by the silly test for "expired" at the end of March (at > 23:59:59 UTC). > > There are associated changes in UKeScienceRoot-2007.namespaces and > UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL > download point in UKeScienceRoot-2007.crl_url. There is a slight risk > that a bug has slipped through here, despite checking, due to some > undocumented or non-testable "feature" in the code that uses these files. > > That's it. Any Qs or Cs? > > Cheers > --jens > -- Facts aren't facts if they come from the wrong people. (Paul Krugman)