I suspect you are on a 0.9.8 openssl machine. 53729190 would be the hash for a 1.0.0 openssl setup.
I don't see any point in keeping either of the .r0 files for the old UK eScience CA.
Before removing them you can see/check what they are by something like the following:
----
[jmk27@puck ~]$ openssl crl -in 367b75c3.r0 -inform pem -noout -issuer -lastupdate -nextupdate
issuer=/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA
lastUpdate=Jan 28 15:41:43 2013 GMT
nextUpdate=Feb 27 15:41:43 2013 GMT
----
Ditto for 53729190.r0
JK
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of John Hill
> Sent: Tuesday, January 29, 2013 12:40 PM
> To: [log in to unmask]
> Subject: Re: Changes in IGTF 1.52
>
> Curious - I only have 367b75c3.r0
>
> John
>
> On 29/01/2013 12:36, Alessandra Forti wrote:
> > I have both
> >
> > /etc/grid-security/certificates/367b75c3.r0
> > /etc/grid-security/certificates/53729190.r0
> >
> > which should I eliminate and which should I keep?
> >
> > thanks
> >
> > cheers
> > alessandra
> >
> > On 29/01/2013 11:54, John Hill wrote:
> >> /etc/grid-security/certificates/367b75c3.r0 is also still there after
> >> upgrading to 1.52.
> >>
> >> John
> >>
> >> On 29/01/2013 11:38, Alessandra Forti wrote:
> >>> Hi Jens,
> >>>
> >>> I've just upgraded and this is what's left behind in the
> >>> /etc/grid-security/certificates/ directory
> >>>
> >>> #> rpm -qa ca-policy-egi-core
> >>> ca-policy-egi-core-1.52-1.noarch
> >>>
> >>> #> ls /etc/grid-security/certificates/UKeScience*2007*
> >>> /etc/grid-security/certificates/UKeScienceRoot-2007.crl_url
> >>> /etc/grid-security/certificates/UKeScienceRoot-2007.pem
> >>> /etc/grid-security/certificates/UKeScienceRoot-2007.info
> >>> /etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy
> >>> /etc/grid-security/certificates/UKeScienceRoot-2007.namespaces
> >>>
> >>> cheers
> >>> alessandra
> >>>
> >>>
> >>> On 29/01/2013 11:34, Jens Jensen wrote:
> >>>> Dropping old CA certifiate (no valid certs, valid CRL)
> >>>> These files should go when you upgrade to 1.52:
> >>>> /etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*}
> >>>>
> >>>>
> >>>> It is most important to get rid of *.pem, *.0, and *.r0
> >>>>
> >>>> We can watch the CRLs for downloads, see which IP addresses they
> >>>> come from.
> >>>>
> >>>> The main (small) risk is that sites don't remove it (for some reason)
> >>>> and get hit by the silly test for "expired" at the end of March (at
> >>>> 23:59:59 UTC).
> >>>>
> >>>> There are associated changes in UKeScienceRoot-2007.namespaces and
> >>>> UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL
> >>>> download point in UKeScienceRoot-2007.crl_url. There is a slight risk
> >>>> that a bug has slipped through here, despite checking, due to some
> >>>> undocumented or non-testable "feature" in the code that uses these
> >>>> files.
> >>>>
> >>>> That's it. Any Qs or Cs?
> >>>>
> >>>> Cheers
> >>>> --jens
> >>>>
> >>>
> >>>
> >>> --
> >>> Facts aren't facts if they come from the wrong people. (Paul Krugman)
> >>>
> >
> >
--
Scanned by iCritical.
|