 |
 |
> Hi John, Hi > I'm picking up an action that I got at the ops meeting today that relates to the GGUS tocket > I raised on "EMI3 ARGUS DN with EMAILADDRESS", i.e. https://ggus.eu/tech/ticket_show.php?ticket=92585 > > Forgive me if we've been over this, or if it's covered elsewhere. The requirements I have are these. NP - if in doubt ... ask! That's what I reckon. > :--- reqs --- > For all the machines in my cluster, I want to acquire host certificates that have no email-address > component in the DN field. Excellent! > I want a period of overlap, during which both versions of each certificate are valid. This is to allow the > current certificate to cover the interim period between acquiring and later installing host certificates > without email-address components. In normal circumstances you cannot apply for a NEW certificate if it has the same DN as one that already exists and is unexpired - you'd have to revoke (or at least get suspended) your old one first. This will be fine though - just apply for a new certificate with the same CN - don't worry unduly that the emailAddress will look like it is present. We maintained the requirement on the request having that there to cut down on changes we had to make to the OpenCA signing process. > I then want to install these onto all my machines without taking any of them out of action, perhaps > retiring the old certificates once it's done. The best you can do is to restrict the downtime/disruption is when you actually swap out the old one and slot in the new one. Different services/processes will handle this in different ways with varying degrees of disruption. > I'd be very grateful if you could comment on the best approach to do this. As above, just go for it - apply for a new one. It should come back without an email address. Then you can install it as you would for a renewal. BUT if your service's DN is used anywhere then it *might* need updating (although this isn't common). For instance myproxy servers and VOMS servers have had issues with this in the past. > As a goal, a suitable procedure might include the use of Browser, Cert Wizard (or Email?) processes. Use CertWizard > As we have a diverse community, it is quite likely that several methods are current - is any method > recommended over another? I'd use CertWizard. We haven't turned off the other methods yet, but there are times when diversity isn't always a good thing and this is one of them. Let me know how you get on. Cheers JK -- Scanned by iCritical.