Educause Security Discussion mailing list archives
Intermediate Certificate
From: Nate Johnson <natejohn () IU EDU>
Date: Thu, 9 Sep 2010 16:27:40 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IU has been a subscriber to the Thawte Certificate Center Enterprise Accounts (formerly SPKI) for several years now. Thawte recently switched from a model of issuing SSL server certs signed by a single trusted root CA cert to a new model of issuing certs signed by an intermediate (subordinate) CA cert that is signed by a root CA cert. The change has caused problems for some of our customers since it now requires them to install the certificate chain of both the intermediate and root certs as well as their server cert. Maybe in a year or so, all the mainstream OS's, browsers, email clients, etc, will catch up and include the entire chain by default and these certs will just work automatically. For now we have a support issue on our hands. As far as we can tell intermediate CA's are first mentioned in RFC 1422, dated Feb 1993. So this is not a new concept. Comodo, InstantSSL, Verisign, Globalsign, Godaddy, Digicert and ipsCA all require sysadmins to install cert chains with intermediate certs. Thawte's support documentation includes easy to understand instructions for all the mainstream web servers, which we have just pointed to in our FAQ and included in our email alerts. And although the security office doesn't have the staff or resources to test and document these issues on all the other myriad of services our customers are installing these certs on, we have successfully helped them track down documentation for some like Cyrus imapd, Sendmail and MySQL. Services that are just beyond our ability to provide support for are things like Active Directory LDAP from non-Windows systems, Blackberry services, service-to-service interactions like PeopleSoft/Oracle and loadbalancers (like Zeus and BigIP). We're writing to EDUCAUSE-SECURITY to see if any of you have had similar experiences, and what solutions you've found. Also important to note is that IU will very soon be switching from Thawte to the InCommon Certificate Service as our commercial cert provider. These issues will persist though, since InCommon (with Comodo as their back-end cert provider) also requires a CA cert chain with intermediate certs. Thanks, Nate - -- * Nate Johnson, Principal Security Engineer, GCIH, GCFA * University Information Security Office, Indiana University -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkyJQzwACgkQGQUVGJudcw71DgCdHe+37IhMQ9T/E7hhihT29CXX Jf4AnRYZypMadDLrWlm0t+1PxzHNE9Ei =DXsW -----END PGP SIGNATURE-----
Current thread:
- Intermediate Certificate Nate Johnson (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Alex Keller (Sep 09)
- Re: Certificates Michael Johnson (Sep 09)
- Re: Certificates Mark Montague (Sep 09)
- Re: Certificates Flynn, Gary - flynngn (Sep 10)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Jack Suess (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)