Educause Security Discussion mailing list archives
Re: Intermediate Certificate
From: "Yonesy F. Nunez" <yonesy.nunez () NEWSCHOOL EDU>
Date: Fri, 10 Sep 2010 09:37:29 -0400
We had this issue about 3 weeks ago when we renewed one of our main systems. Suffice it to say the system did not fall into the cookie-cutter category and it took us a couple of days to track down the solution for properly updating the certificate chain on that system. I suggest that the folks that have not done this yet to take an inventory of all their systems and ensure that they have all the steps in place for updating the TCRA with the subordinate/intermediate CA. The solution is to ensure that you are able to successfully update the TCRA for each of your systems. It's a good thing that these events don't happen too often. Best regards, Yonesy -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nate Johnson Sent: Thursday, September 09, 2010 4:28 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Intermediate Certificate -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IU has been a subscriber to the Thawte Certificate Center Enterprise Accounts (formerly SPKI) for several years now. Thawte recently switched from a model of issuing SSL server certs signed by a single trusted root CA cert to a new model of issuing certs signed by an intermediate (subordinate) CA cert that is signed by a root CA cert. The change has caused problems for some of our customers since it now requires them to install the certificate chain of both the intermediate and root certs as well as their server cert. Maybe in a year or so, all the mainstream OS's, browsers, email clients, etc, will catch up and include the entire chain by default and these certs will just work automatically. For now we have a support issue on our hands. As far as we can tell intermediate CA's are first mentioned in RFC 1422, dated Feb 1993. So this is not a new concept. Comodo, InstantSSL, Verisign, Globalsign, Godaddy, Digicert and ipsCA all require sysadmins to install cert chains with intermediate certs. Thawte's support documentation includes easy to understand instructions for all the mainstream web servers, which we have just pointed to in our FAQ and included in our email alerts. And although the security office doesn't have the staff or resources to test and document these issues on all the other myriad of services our customers are installing these certs on, we have successfully helped them track down documentation for some like Cyrus imapd, Sendmail and MySQL. Services that are just beyond our ability to provide support for are things like Active Directory LDAP from non-Windows systems, Blackberry services, service-to-service interactions like PeopleSoft/Oracle and loadbalancers (like Zeus and BigIP). We're writing to EDUCAUSE-SECURITY to see if any of you have had similar experiences, and what solutions you've found. Also important to note is that IU will very soon be switching from Thawte to the InCommon Certificate Service as our commercial cert provider. These issues will persist though, since InCommon (with Comodo as their back-end cert provider) also requires a CA cert chain with intermediate certs. Thanks, Nate - -- * Nate Johnson, Principal Security Engineer, GCIH, GCFA * University Information Security Office, Indiana University -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkyJQzwACgkQGQUVGJudcw71DgCdHe+37IhMQ9T/E7hhihT29CXX Jf4AnRYZypMadDLrWlm0t+1PxzHNE9Ei =DXsW -----END PGP SIGNATURE-----
Current thread:
- Intermediate Certificate Nate Johnson (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Alex Keller (Sep 09)
- Re: Certificates Michael Johnson (Sep 09)
- Re: Certificates Mark Montague (Sep 09)
- Re: Certificates Flynn, Gary - flynngn (Sep 10)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Jack Suess (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)