John(K), all, Here's my catchup email.... --------------------------------------------------------------- First problem - Do we need New certificates? Answer: I've contacted Leif Nixon directly, and this is (part of) his response: > For all hosts that were vulnerable, you should get a completely > new certificate; i.e. generate a new private and public key pair > and get a certificate based on that. (The precise procedure for > this depends on your particular CA, of course.) So if we "renew" a certificate, does the "renewed" a certificate have different keys to the original one? If "renewal" does result in new keys, then it is perfectly OK to simply renew the certificate in the normal manner, as we do each year. If "renewal" does not result in new keys, then it is not the right procedure. In which case, we all have to go the full loop and get completely new certificates (generating new key pairs). --------------------------------------------------------------- Second problem - Assuming we need to, how do we get New certificates without breaking systems. Answer: Up in the air at the moment. The choices I can see are: A) Use workaround (get a friendly RA Op from another RA to request the revocation for me, and persuade my RA Op's approval to delay the process). Pros: ready now (but needs testing?) Cons: Fragile process. Multiple unknown RA Ops (local and remote) who need to be identified, informed and synchronised. B) Find a slicker procedure to get it done without multiple RA Ops Pros: Reduces screw-ups Cons: not ready now C) Use existing procedure: https://www.gridpp.ac.uk/wiki/Grid_Certificate This works around the block on hosts with multiple, simultaneous certificates by using a new host DN. Pros: It's ready now (but needs testing) Cons: DN needs to change, with multiple external impacts. --------------------------------------------------------------- So there it is. Food for thought. eh? Steve On 04/08/2014 05:50 PM, John Kewley wrote: > For those of you want to request a New host cert rather than do a Renewal. > > You can temporarily suspend your certificate by requesting its revocation. > The problem with this is that if that request is signed then your certificate goes "bang". > The alternative is to get a friendly RA Op from another RA to request the revocation for you. > This means that it will await your RA Op's approval (which you persuade them not to give ... just yet). > You can now apply for a new one > > cheers > > JK > >> -----Original Message----- >> From: Stephen Jones [mailto:[log in to unmask]] >> Sent: Tuesday, April 08, 2014 5:08 PM >> To: [log in to unmask] >> Subject: I'll test this out: https://www.gridpp.ac.uk/wiki/Grid_Certificate >> >> Hi all, >> >> I wrote some of this a while back. Now I have to renew all the certs due to >> the OPENSSL bug, I guess I should test it still works: >> >> I think it's the same process as "Converting host certificates to omit the >> email addresses from DNs". >> >> https://www.gridpp.ac.uk/wiki/Grid_Certificate >> >> Job for tomorrow... >> >> >> Steve >> >> -- >> Steve Jones [log in to unmask] >> System Administrator office: 220 >> High Energy Physics Division tel (int): 42334 >> Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334 >> University of Liverpool http://www.liv.ac.uk/physics/hep/ -- Steve Jones [log in to unmask] System Administrator office: 220 High Energy Physics Division tel (int): 42334 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334 University of Liverpool http://www.liv.ac.uk/physics/hep/