Re: Thawte root change to 2048 bit cert and intermediate CA

[Jason Testart <jatestart () UWATERLOO CA>]

Flynn, Gary wrote:
> https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AD221&actp=LIST&viewlocale=en_US 
> <https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AD221&actp=LIST&viewlocale=en_US>
>
> If they’re changing their root cert and adding an intermediate cert, 
> won’t all browsers and clients have to have those certs added to their 
> stores for SSL certs signed by them to be trusted? I don’t see a 2048 
> bit Thawte cert in the latest patched version of Internet Explorer.
>
> They have scheduled a presentation in June to describe the change 
> coming in June. Given our experience with their presentation about the 
> SPKI changes a few months ago and subsequent operational issues, I’m a 
> bit anxious about this change even with their wording, “There is no 
> action necessary on your part.  Your current valid Certificates issued 
> off our MD5, 1024 bit RSA Roots will continue to operate correctly and 
> securely. There is no need to replace your existing Certificates. 
> Thawte is providing this advance information to ensure a smooth 
> transition. Also, this information will help you in making your IT 
> investment decisions e.g. ask the vendors if they support 2048-bit RSA 
> keys etc.”.  What about certs issued using their new root?

We switched to Globalsign before the SPKI changes.  At that time, we
went through the pain of both operational processes AND moving to
intermediate certs at the same time.

There shouldn't be any changes needed on the browser (assuming the
correct root CA is trusted).  You will need to change how you do things
on the server.  We had some pains educating our server admins to include
the intermediate cert along with the server cert at certificate install
time.  The only issue we have now is an old version of PeopleTools
(where the old Java keystore doesn't deal with chaining at all).

jt