John(K), all,
Here's my catchup email....
---------------------------------------------------------------
First problem - Do we need New certificates?
Answer: I've contacted Leif Nixon directly, and this is (part of) his
response:
> For all hosts that were vulnerable, you should get a completely
> new certificate; i.e. generate a new private and public key pair
> and get a certificate based on that. (The precise procedure for
> this depends on your particular CA, of course.)
So if we "renew" a certificate, does the "renewed" a certificate
have different keys to the original one? If "renewal" does result in
new keys, then it is perfectly OK to simply renew the certificate in
the normal manner, as we do each year.
If "renewal" does not result in new keys, then it is not the right
procedure. In which case, we all have to go the full loop and get
completely new certificates (generating new key pairs).
---------------------------------------------------------------
Second problem - Assuming we need to, how do we get
New certificates without breaking systems.
Answer: Up in the air at the moment. The choices I can see are:
A) Use workaround (get a friendly RA Op from another RA to request
the revocation for me, and persuade my RA Op's approval to delay
the process).
Pros: ready now (but needs testing?)
Cons: Fragile process. Multiple unknown RA Ops (local and remote) who
need to be identified, informed and synchronised.
B) Find a slicker procedure to get it done without multiple RA Ops
Pros: Reduces screw-ups
Cons: not ready now
C) Use existing procedure: https://www.gridpp.ac.uk/wiki/Grid_Certificate
This works around the block on hosts with multiple, simultaneous
certificates
by using a new host DN.
Pros: It's ready now (but needs testing)
Cons: DN needs to change, with multiple external impacts.
---------------------------------------------------------------
So there it is. Food for thought. eh?
Steve
On 04/08/2014 05:50 PM, John Kewley wrote:
> For those of you want to request a New host cert rather than do a Renewal.
>
> You can temporarily suspend your certificate by requesting its revocation.
> The problem with this is that if that request is signed then your certificate goes "bang".
> The alternative is to get a friendly RA Op from another RA to request the revocation for you.
> This means that it will await your RA Op's approval (which you persuade them not to give ... just yet).
> You can now apply for a new one
>
> cheers
>
> JK
>
>> -----Original Message-----
>> From: Stephen Jones [mailto:[log in to unmask]]
>> Sent: Tuesday, April 08, 2014 5:08 PM
>> To: [log in to unmask]
>> Subject: I'll test this out: https://www.gridpp.ac.uk/wiki/Grid_Certificate
>>
>> Hi all,
>>
>> I wrote some of this a while back. Now I have to renew all the certs due to
>> the OPENSSL bug, I guess I should test it still works:
>>
>> I think it's the same process as "Converting host certificates to omit the
>> email addresses from DNs".
>>
>> https://www.gridpp.ac.uk/wiki/Grid_Certificate
>>
>> Job for tomorrow...
>>
>>
>> Steve
>>
>> --
>> Steve Jones [log in to unmask]
>> System Administrator office: 220
>> High Energy Physics Division tel (int): 42334
>> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334
>> University of Liverpool http://www.liv.ac.uk/physics/hep/
--
Steve Jones [log in to unmask]
System Administrator office: 220
High Energy Physics Division tel (int): 42334
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334
University of Liverpool http://www.liv.ac.uk/physics/hep/
