Educause Security Discussion mailing list archives
Re: SSL Certificates
From: Doug Hoffman <dhoffman () BLOOMU EDU>
Date: Wed, 18 Mar 2009 10:18:03 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've noticed that Opera (any platform) and Windows Mobile don't trust ipsCA's root cert, as well. Another downside to ipsCA is that their certs are chained - this may not work well with certain servers and/or clients. One thing we've run in to is lack of support for using chained certs with web auth on Cisco's WLAN controllers. We primarily use Thawte's SPKI for our certs, the exception being non-production servers where we will temporarily use ipsCA certs. Thawte's certs are unchained, signed directly off of Thawte's root cert (so they play well will anything), and we have yet to find any client that doesn't have their root cert in the trusted CA list. Their price isn't great, but we don't have to worry about any compatibility issues. :: Doug Hoffman, Network and Systems Administrator :: :::::: Office of Technology / Network Services :::::: ::::::: Bloomsburg University of Pennsylvania ::::::: ::::::: +1.570.389.4759 / dhoffman () bloomu edu ::::::: Eric Torgersen wrote:
In addition to the root CA expiration issue, I have noticed that Java doesn't ship with IPSCA included as a trusted CA. This can be an issue for a Java applet that makes an SSL connection back to the web server. Eric ---------------------------------------------------------- Eric Torgersen Information Technology Services Unix System Administrator The University @ Albany eric () albany edu 1400 Washington Ave (518) 437-3665 Albany, NY 12222 ---------------------------------------------------------- On Wed, 18 Mar 2009, Brian Epstein wrote: Security, The only thing holding us back from IPSCA is that their Root CA expires 12/29/2009. I wasn't sure what was going to happen afterward. Does anyone know if this CA has been updated? Instead, we decided to go with ssldirect.com. If you sign up as a reseller, you can get SSL Certs for $11.95/year. At this price, we could afford to start using them on many more services. Thanks, ep
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJwQKbAAoJELeRhFYdIl1wskAH/2eDFTkBZXlOk1hWp4e1GSfB N8aMJ2VIE3E7FND6aftMZmCkoxOnlP6eLa6D2LKtQGNI1ESIZ1O5IA2Y5ABjAIDi q5bCwMcKwOnqnQQ8La+tWaCotvugGoZN086Yr0G2ujm0i/XayLIJ3wm1VSJOKU6h NEewC3tTRlUcuUoKMeNDxGfU1Cwke5i2//7CFrNbJj8IWvrjTUl7bxCoq2XC9U7y d5vhbLsyWeKO5evWNLDvAZSihXOJkluWzcgPhg7HeYg4DzKkQTaSJVP6rAMX+cW5 s1zZwdzkT/kGSm90L65LuckZUwPTHrkN0oMhnOH2O3VmEw+GkTPvX7m2esmzHEI= =7IE4 -----END PGP SIGNATURE-----
Current thread:
- SSL Certificates Mclaughlin, Kevin (mclaugkl) (Mar 17)
- <Possible follow-ups>
- Re: SSL Certificates Rowe, Ken (Mar 17)
- Re: SSL Certificates Jeff Giacobbe (Mar 17)
- Re: SSL Certificates Consolvo, Corbett D (Mar 17)
- Re: SSL Certificates John Ladwig (Mar 17)
- Re: SSL Certificates Gary Flynn (Mar 18)
- Re: SSL Certificates Brian Epstein (Mar 18)
- Re: SSL Certificates Ryan Fox (Mar 18)
- Re: SSL Certificates Charlie Prothero (Mar 18)
- Re: SSL Certificates Eric Torgersen (Mar 18)
- Re: SSL Certificates Doug Hoffman (Mar 18)
- Re: SSL Certificates Steven Tardy (Mar 18)
- Re: SSL Certificates Cal Frye (Mar 19)