Follow-up Comment #4, sr #124285 (project xrootd): Catalin - Can you test if the -crl:2 level is acceptable for FNAL? Gerri - I realized I left a sentence incomplete in my previous comment. The new IGTF format has three entries per CA in the certificates directory. One is human-readable and ends in ".pem", one uses the OpenSSL 0.9.x hashing scheme and ends in ".0", and the third uses the OpenSSL 1.0 hashing scheme and also ends in ".0". fetch-crl pulls in CRLs *only* for the version of OpenSSL found on the system. Could we do something similar in Xrootd? I.e., check that the hash of the read CA matches the hash from the current version of OpenSSL; if it doesn't, ignore it. If you'd like to see an example of how this layout works, you can find the latest OSG CA cert RPM here: https://koji-hub.batlab.org/koji/buildinfo?buildID=659 _______________________________________________________ Reply to this item at: <http://savannah.cern.ch/support/?124285> _______________________________________________ Message sent via/by LCG Savannah http://savannah.cern.ch/