Educause Security Discussion mailing list archives

Intermediate Certificate

From: Nate Johnson <natejohn () IU EDU>
Date: Thu, 9 Sep 2010 16:27:40 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IU has been a subscriber to the Thawte Certificate Center Enterprise
Accounts (formerly SPKI) for several years now. Thawte recently switched
from a model of issuing SSL server certs signed by a single trusted root
CA cert to a new model of issuing certs signed by an intermediate
(subordinate) CA cert that is signed by a root CA cert.

The change has caused problems for some of our customers since it now
requires them to install the certificate chain of both the intermediate
and root certs as well as their server cert. Maybe in a year or so, all
the mainstream OS's, browsers, email clients, etc, will catch up and
include the entire chain by default and these certs will just work
automatically. For now we have a support issue on our hands.

As far as we can tell intermediate CA's are first mentioned in RFC 1422,
dated Feb 1993. So this is not a new concept. Comodo, InstantSSL,
Verisign, Globalsign, Godaddy, Digicert and ipsCA all require sysadmins to
install cert chains with intermediate certs.

Thawte's support documentation includes easy to understand instructions
for all the mainstream web servers, which we have just pointed to in our
FAQ and included in our email alerts. And although the security office
doesn't have the staff or resources to test and document these issues on
all the other myriad of services our customers are installing these certs
on, we have successfully helped them track down documentation for some
like Cyrus imapd, Sendmail and MySQL.

Services that are just beyond our ability to provide support for are
things like Active Directory LDAP from non-Windows systems, Blackberry
services, service-to-service interactions like PeopleSoft/Oracle and
loadbalancers (like Zeus and BigIP).

We're writing to EDUCAUSE-SECURITY to see if any of you have had similar
experiences, and what solutions you've found.

Also important to note is that IU will very soon be switching from Thawte
to the InCommon Certificate Service as our commercial cert provider. These
issues will persist though, since InCommon (with Comodo as their back-end
cert provider) also requires a CA cert chain with intermediate certs.

Thanks,
Nate

- -- 
* Nate Johnson, Principal Security Engineer, GCIH, GCFA
* University Information Security Office, Indiana University
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyJQzwACgkQGQUVGJudcw71DgCdHe+37IhMQ9T/E7hhihT29CXX
Jf4AnRYZypMadDLrWlm0t+1PxzHNE9Ei
=DXsW
-----END PGP SIGNATURE-----

Current thread:

Intermediate Certificate Nate Johnson (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)
  - Certificates John Kaftan (Sep 09)
    - Re: Certificates Alex Keller (Sep 09)
    - Re: Certificates Michael Johnson (Sep 09)
    - Re: Certificates Mark Montague (Sep 09)
    - Re: Certificates Flynn, Gary - flynngn (Sep 10)
    - Re: Certificates Jack Suess (Sep 09)
  - Re: Intermediate Certificate Derek Diget (Sep 10)
- Re: Intermediate Certificate Yonesy F. Nunez (Sep 10)