Re: Intermediate Certificate

[Alex Keller <alkeller () SFSU EDU>]

hi Nate et al,

we use InstantSSL/Comodo certs and are pretty used to having to install
the intermediary certificate. in fact, i can't recall not having to do it.

re: Maybe in a year or so, all the mainstream OS's, browsers, email
clients, etc, will catch up and include the entire chain by default and
these certs will just work automatically.

i don't think this is the plan. from what i understand the idea behind
the intermediary certificates is to provide some protection against the
risk of a CA root certificate compromise. moreover, the browser
developers are going to have little interest in including and keeping
track of the thousands (millions?) of intermediary certs.

best,
alex

-- 
Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu



On 9/9/2010 1:27 PM, Nate Johnson wrote:
> IU has been a subscriber to the Thawte Certificate Center Enterprise
> Accounts (formerly SPKI) for several years now. Thawte recently switched
> from a model of issuing SSL server certs signed by a single trusted root
> CA cert to a new model of issuing certs signed by an intermediate
> (subordinate) CA cert that is signed by a root CA cert.
>
> The change has caused problems for some of our customers since it now
> requires them to install the certificate chain of both the intermediate
> and root certs as well as their server cert. Maybe in a year or so, all
> the mainstream OS's, browsers, email clients, etc, will catch up and
> include the entire chain by default and these certs will just work
> automatically. For now we have a support issue on our hands.
>
> As far as we can tell intermediate CA's are first mentioned in RFC 1422,
> dated Feb 1993. So this is not a new concept. Comodo, InstantSSL,
> Verisign, Globalsign, Godaddy, Digicert and ipsCA all require sysadmins to
> install cert chains with intermediate certs.
>
> Thawte's support documentation includes easy to understand instructions
> for all the mainstream web servers, which we have just pointed to in our
> FAQ and included in our email alerts. And although the security office
> doesn't have the staff or resources to test and document these issues on
> all the other myriad of services our customers are installing these certs
> on, we have successfully helped them track down documentation for some
> like Cyrus imapd, Sendmail and MySQL.
>
> Services that are just beyond our ability to provide support for are
> things like Active Directory LDAP from non-Windows systems, Blackberry
> services, service-to-service interactions like PeopleSoft/Oracle and
> loadbalancers (like Zeus and BigIP).
>
> We're writing to EDUCAUSE-SECURITY to see if any of you have had similar
> experiences, and what solutions you've found.
>
> Also important to note is that IU will very soon be switching from Thawte
> to the InCommon Certificate Service as our commercial cert provider. These
> issues will persist though, since InCommon (with Comodo as their back-end
> cert provider) also requires a CA cert chain with intermediate certs.
>
> Thanks,
> Nate