Re: Thawte root change to 2048 bit cert and intermediate CA

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On 26/05/2010, at 9:30 AM, Jason Testart wrote:
> There shouldn't be any changes needed on the browser (assuming the
> correct root CA is trusted).  You will need to change how you do things
> on the server.  We had some pains educating our server admins to include
> the intermediate cert along with the server cert at certificate install
> time. 

You need to be particularly careful with windows servers as intermediate certs
need to be installed in a different place to the server certs.  If you use the 
automated tools (double click on the cert ?) the windows normally does 'the right
thing' but not always.  We have also had very experienced admins who have manually
added intermediate certs to the wrong store.  

We use Certs from AusCERT that rely on Comodo's "Add trust" certs.  These certs are in
most modern system so even if the admins don't install them on the server *most* things 
work, which is really confusing.

Older Macs ( < 10.5 ?) are one conspicuous group that fail.

Russell