The default is no prefix so you have to ask for the prefix if you want one. I don't believe having it does any harm in the grid s/w I have seen,
but you never know.
Amending the old CA code might not take long, but there are a whole host of "little things" wrong with it that they'd need prioritising.
We therefore decided to spend that development effort on CertWizard instead. Since then changes to the old interface have been
informational, letting people know to use CertWizard instead.
JK
________________________________________
From: Testbed Support for GridPP member institutes [[log in to unmask]] on behalf of Wahid Bhimji [[log in to unmask]]
Sent: 06 November 2012 11:47
To: [log in to unmask]
Subject: Re: "host/" prefix in server certs.
The certificates for the disk servers I put in place just a couple of months ago have host/ in their name.
Probably I shouldn't have been given the option when I requested then if it is indeed deprecated.
Wahid
On 6 Nov 2012, at 11:42, John Gordon <[log in to unmask]> wrote:
> From memory we deprecated /host some time ago but allowed sites to request a renewal if they wanted. Since CertWizard was developed long after this it doesn't surprise me that it wasn't part of its spec.
>
> What I can't remember is whether there was a time limit of support. Hence I cc Jens.
>
> John
>
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:[log in to unmask]] On Behalf Of John Kewley
> Sent: 06 November 2012 11:23
> To: [log in to unmask]
> Subject: Re: "host/" prefix in server certs.
>
> Since unadorned host certs are considered host certs then use of "host/" hasn't
> been prevalent for a long time, although there are a smattering of host certificates with
> the "host/" prefix still hanging around, presumably for historical reasons.
>
> What is perhaps a better question is whether there is a use case for any of the other
> service prefixes which were supported on the old web interface. These were typically used
> when there were multiple services on the same machine, but I understand there are better
> ways of doing that now.
>
> Use cases could include the fact that your DN is embedded "all over the place"
> and it would be a real pain getting all your users/references to change. This may be
> the case for a VOMS or myproxy server for instance. I am not saying it'd be a compelling
> use case, but it would be a reasonable point all the same.
>
> I don't have any documentary evidence "to hand" about service prefixes being deprecated,
> but maybe Jens or Mike Jones has that information.
>
> Cheers
>
> JK
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes [mailto:TB-
>> [log in to unmask]] On Behalf Of John Hill
>> Sent: Tuesday, November 06, 2012 11:05 AM
>> To: [log in to unmask]
>> Subject: Re: "host/" prefix in server certs.
>>
>> None of our host certificates have the "host/".
>>
>> John
>>
>> On 06/11/2012 10:46, Wahid Bhimji wrote:
>>> Hi
>>>
>>> So when I tried to use the "Cert wizard" to renew my disk server
>>> certificates I hit an error apparatnly due to the "host/"
>>> Does anyone know if that is in fact needed or it is ok to use a cert
>>> without that bit?
>>>
>>> The salient parts of my discussionwith the helpdesk are below.
>>>
>>> Wahid
>>>
>>> Begin forwarded message:
>>>
>>>> *From: *UK Grid Operations Support Centre <[log in to unmask]
>>>> <mailto:[log in to unmask]>>
>>>> *Subject: **sec_error_unknown_issuer error using firefox to renew host
>>>> certificate ISSUE=15075 PROJ=1*
>>>> *Date: *6 November 2012 10:41:00 GMT
>>>> *To: *<[log in to unmask] <mailto:[log in to unmask]>>
>>>> *Reply-To: *<[log in to unmask]
>>>> <mailto:[log in to unmask]>>
>>>>
>>>> When replying, type your text above this line.
>>>> ------------------------------------------------------------------------
>>>> *Notification of Query Change*
>>>>
>>>> The following reply has been supplied for query [GOSC
>>>> 15075].
>>>>
>>>>
>>>> *Status: * Agent Replied *Creation Date: *
>> 05/11/2012
>>>>
>>>>
>>>> *Query Content:*
>>>> /Entered on 06/11/2012 at 10:41:29 GMT (GMT+0000) by John Kewley:/
>>>> OK thanks
>>>>
>>>> I agree it would be better if it worked on OS/X, but we have spent our
>>>> development on CertWizard so we don't have to support every browser on
>>>> every OS.
>>>>
>>>> Are you sure you need the "host/" prefix? If you have a use-case we'd
>>>> be pleased to hear it - that browser interface won't be around for
>>>> that long
>>>> so we do need to find out if anyone does indeed have any requirements
>>>> for a service certificate.
>>>>
>>>> Cheers
>>>>
>>>> JK
>>>>
>>>>
>>>> On 6 Nov 2012, at 09:41, UK Grid Operations Support Centre
>>>> <[log in to unmask] <mailto:[log in to unmask]>> wrote:
>>>>
>>>>> [Duplicate message snipped]
>>>>
>>>> /Entered on 06/11/2012 at 09:41:26 GMT (GMT+0000) by John Kewley:/
>>>> The use of a service has prefix (especially the host/ prefix) has been
>>>> pretty much deprecated by the community some time ago so we haven't
>>>> added support for it in CertWizard.
>>>>
>>>> Your error message doesn't look too friendly though, sorry about that.
>>>>
>>>> if you don't still require that exact DN then you can request a new
>>>> certificate without the prefix using CertWizard - this is likely your
>>>> easiest option ... unless you need that prefix for something.
>>>>
>>>> ... or you should be able to still use Firefox to renew it. Can you
>>>> you detail the steps you are doing in FF?
>>>>
>>>> cheers
>>>>
>>>> JK
>>>>
>>>> /Entered on 06/11/2012 at 09:20:26 GMT (GMT+0000) by
>>>> [log in to unmask] <mailto:[log in to unmask]>:/
>>>> Subject: Re: sec_error_unknown_issuer error using firefox to renew
>>>> host certificate ISSUE=15075 PROJ=1
>>>> To: <[log in to unmask] <mailto:[log in to unmask]>>
>>>> From: Wahid Bhimji <[log in to unmask]
>>>> <mailto:[log in to unmask]>>
>>>>
>>>> Right I tried the cert wizard and I got this message
>>>> "Server responded an error: For user cert requests, the CN should be
>>>> lowercase of the form 'firstname surname' (single space separator).
>>>> For hostcert requests, the CN should be a valid lowercase DNS domain
>>>> name. [Accepted (202) - The request has been accepted for processing,
>>>> but the processing has not been completed]"
>>>>
>>>> Is it possible to use the cert wizard or not - what does that message
>>>> mean.
>>>> The DN is
>>>> [log in to unmask]
>>>> <mailto:[log in to unmask]>,
>>>> CN=host/pool3.glite.ecdf.ed.ac.uk, L=NeSC, OU=Edinburgh, O=eScience,
>> C=UK
>>>> CN=UK e-Science CA 2B, OU=Authority, O=eScienceCA, C=UK
>>>>
>>>> I need to get this resolved very soon as the cert will expire next week
>>>>
>>>> Wahid
>>>>
>>>
>>>
>>>
>>> The University of Edinburgh is a charitable body, registered in
>>> Scotland, with registration number SC005336.
>>>
> --
> Scanned by iCritical.
> --
> Scanned by iCritical.
>
--
Scanned by iCritical.
|