Re: Problems with New Thawte Certificate Management Web Site?

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On 24/11/2009, at 12:07 PM, Elmes, Will wrote:

> Could someone explain the IPSCA certs having a problem starting 12-31?  We have a bunch of ISPSCA ones and this 
> definitely has me concerned.  I usually am able to crawl my way through deploying SSL certs but definitely do not 
> understand all of it and could use an explanation.  Thanks!

The only hard evidence I have found is here:   https://bugzilla.mozilla.org/show_bug.cgi?id=523652

You can examine the certs in your browser and see the expiry dates there...

The guts seems to be that there are a bunch of technical issues over the last months.  *Some* of which have been sorted 
out if the link above is to be believed.

The big one for us folk is that IPSCA have been signing our Certs with a key for which the Cert expires on the 29th 
Dec.  Standard practice is that you must not issue certs with a validity period longer than that of the signing key. 
According to the above corespondence IPSCA thought they has a way around this and could thus get more milage from their 
key.  They now appear to have admitted that this 'ingenious scheme' won't work so I am left assuming that the magic 
evaporates on the 29th and the certs become useless strings of bits.

If anyone knows different then I'd be delighted to be corrected.

I started renewing our IPSCA certs (~70 of them) today.

Russell