Hi Jens,

I've just upgraded and this is what's left behind in the /etc/grid-security/certificates/ directory

#> rpm -qa ca-policy-egi-core
ca-policy-egi-core-1.52-1.noarch

#> ls /etc/grid-security/certificates/UKeScience*2007*
/etc/grid-security/certificates/UKeScienceRoot-2007.crl_url     /etc/grid-security/certificates/UKeScienceRoot-2007.pem
/etc/grid-security/certificates/UKeScienceRoot-2007.info        /etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy
/etc/grid-security/certificates/UKeScienceRoot-2007.namespaces

cheers
alessandra


On 29/01/2013 11:34, Jens Jensen wrote:
[log in to unmask]" type="cite"> 
Dropping old CA certifiate (no valid certs, valid CRL)
These files should go when you upgrade to 1.52:
/etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*}

It is most important to get rid of *.pem, *.0, and *.r0

We can watch the CRLs for downloads, see which IP addresses they come from.

The main (small) risk is that sites don't remove it (for some reason)
and get hit by the silly test for "expired" at the end of March (at
23:59:59 UTC).

There are associated changes in UKeScienceRoot-2007.namespaces and
UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL
download point in UKeScienceRoot-2007.crl_url. There is a slight risk
that a bug has slipped through here, despite checking, due to some
undocumented or non-testable "feature" in the code that uses these files.

That's it.  Any Qs or Cs?

Cheers
--jens




-- 
Facts aren't facts if they come from the wrong people. (Paul Krugman)