Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Thawte root change to 2048 bit cert and intermediate CA

From: Jason Testart <jatestart () UWATERLOO CA>
Date: Wed, 26 May 2010 23:56:21 -0400
I believe it's 8.23.

jt

Flynn, Gary wrote:

How old a version of PeopleTools?


On 5/25/10 5:30 PM, "Jason Testart" <jatestart () UWATERLOO CA> wrote:

    Flynn, Gary wrote:
    > https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AD221&actp=LIST&viewlocale=en_US
    <https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AD221&actp=LIST&viewlocale=en_US>
    > <https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AD221&actp=LIST&viewlocale=en_US
    <https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AD221&actp=LIST&viewlocale=en_US>>
    >
    > If they’re changing their root cert and adding an intermediate cert,
    > won’t all browsers and clients have to have those certs added to
    their
    > stores for SSL certs signed by them to be trusted? I don’t see a 2048
    > bit Thawte cert in the latest patched version of Internet Explorer.
    >
    > They have scheduled a presentation in June to describe the change
    > coming in June. Given our experience with their presentation
    about the
    > SPKI changes a few months ago and subsequent operational issues,
    I’m a
    > bit anxious about this change even with their wording, “There is no
    > action necessary on your part.  Your current valid Certificates
    issued
    > off our MD5, 1024 bit RSA Roots will continue to operate
    correctly and
    > securely. There is no need to replace your existing Certificates.
    > Thawte is providing this advance information to ensure a smooth
    > transition. Also, this information will help you in making your IT
    > investment decisions e.g. ask the vendors if they support
    2048-bit RSA
    > keys etc.”.  What about certs issued using their new root?

    We switched to Globalsign before the SPKI changes.  At that time, we
    went through the pain of both operational processes AND moving to
    intermediate certs at the same time.

    There shouldn't be any changes needed on the browser (assuming the
    correct root CA is trusted).  You will need to change how you do
    things
    on the server.  We had some pains educating our server admins to
    include
    the intermediate cert along with the server cert at certificate
    install
    time.  The only issue we have now is an old version of PeopleTools
    (where the old Java keystore doesn't deal with chaining at all).

    jt
Previous By Date Next
Previous By Thread Next

Current thread: