Hi Jens, I missed the difference initially myself as well! I guess that we should remove /etc/grid-security/certificates/367b75c3.r0 manually? It isn't associated with any RPM after upgrading to 1.52. Cheers, John On 29/01/2013 12:08, Jens Jensen wrote: > Yes, of course - thanks, John! The Root-2007 should still be there!! > > Not enough caffeine. > > -j > > On 29/01/2013 11:57, John Hill wrote: >> We should read the file names more carefully - it's the Root files >> which are left behind, not the CA Certificate itself. >> >> John >> >> On 29/01/2013 11:52, Jens Jensen wrote: >>> Curious - what happens if you do (say) >>> >>> rpm -qf /etc/grid-security/certificates/UKeScienceCA-2007.pem >>> >>> ...? >>> >>> Cheers >>> --jens >>> >>> >>> On 29/01/2013 11:38, Alessandra Forti wrote: >>>> Hi Jens, >>>> >>>> I've just upgraded and this is what's left behind in the >>>> /etc/grid-security/certificates/ directory >>>> >>>> #> rpm -qa ca-policy-egi-core >>>> ca-policy-egi-core-1.52-1.noarch >>>> >>>> #> ls /etc/grid-security/certificates/UKeScience*2007* >>>> /etc/grid-security/certificates/UKeScienceRoot-2007.crl_url >>>> /etc/grid-security/certificates/UKeScienceRoot-2007.pem >>>> /etc/grid-security/certificates/UKeScienceRoot-2007.info >>>> /etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy >>>> /etc/grid-security/certificates/UKeScienceRoot-2007.namespaces >>>> >>>> cheers >>>> alessandra >>>> >>>> >>>> On 29/01/2013 11:34, Jens Jensen wrote: >>>>> Dropping old CA certifiate (no valid certs, valid CRL) >>>>> These files should go when you upgrade to 1.52: >>>>> /etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*} >>>>> >>>>> >>>>> It is most important to get rid of *.pem, *.0, and *.r0 >>>>> >>>>> We can watch the CRLs for downloads, see which IP addresses they >>>>> come from. >>>>> >>>>> The main (small) risk is that sites don't remove it (for some reason) >>>>> and get hit by the silly test for "expired" at the end of March (at >>>>> 23:59:59 UTC). >>>>> >>>>> There are associated changes in UKeScienceRoot-2007.namespaces and >>>>> UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL >>>>> download point in UKeScienceRoot-2007.crl_url. There is a slight risk >>>>> that a bug has slipped through here, despite checking, due to some >>>>> undocumented or non-testable "feature" in the code that uses these >>>>> files. >>>>> >>>>> That's it. Any Qs or Cs? >>>>> >>>>> Cheers >>>>> --jens >>>>> >>>> >>>> >>>> -- >>>> Facts aren't facts if they come from the wrong people. (Paul Krugman) >>> >>> >>> -- >>> Scanned by iCritical. >>> >>> >