Educause Security Discussion mailing list archives
Re: Intermediate Certificate
From: Alex Keller <alkeller () SFSU EDU>
Date: Thu, 9 Sep 2010 13:43:37 -0700
hi Nate et al, we use InstantSSL/Comodo certs and are pretty used to having to install the intermediary certificate. in fact, i can't recall not having to do it. re: Maybe in a year or so, all the mainstream OS's, browsers, email clients, etc, will catch up and include the entire chain by default and these certs will just work automatically. i don't think this is the plan. from what i understand the idea behind the intermediary certificates is to provide some protection against the risk of a CA root certificate compromise. moreover, the browser developers are going to have little interest in including and keeping track of the thousands (millions?) of intermediary certs. best, alex -- Alex Keller Systems Administrator Academic Technology, San Francisco State University Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu On 9/9/2010 1:27 PM, Nate Johnson wrote:
IU has been a subscriber to the Thawte Certificate Center Enterprise Accounts (formerly SPKI) for several years now. Thawte recently switched from a model of issuing SSL server certs signed by a single trusted root CA cert to a new model of issuing certs signed by an intermediate (subordinate) CA cert that is signed by a root CA cert. The change has caused problems for some of our customers since it now requires them to install the certificate chain of both the intermediate and root certs as well as their server cert. Maybe in a year or so, all the mainstream OS's, browsers, email clients, etc, will catch up and include the entire chain by default and these certs will just work automatically. For now we have a support issue on our hands. As far as we can tell intermediate CA's are first mentioned in RFC 1422, dated Feb 1993. So this is not a new concept. Comodo, InstantSSL, Verisign, Globalsign, Godaddy, Digicert and ipsCA all require sysadmins to install cert chains with intermediate certs. Thawte's support documentation includes easy to understand instructions for all the mainstream web servers, which we have just pointed to in our FAQ and included in our email alerts. And although the security office doesn't have the staff or resources to test and document these issues on all the other myriad of services our customers are installing these certs on, we have successfully helped them track down documentation for some like Cyrus imapd, Sendmail and MySQL. Services that are just beyond our ability to provide support for are things like Active Directory LDAP from non-Windows systems, Blackberry services, service-to-service interactions like PeopleSoft/Oracle and loadbalancers (like Zeus and BigIP). We're writing to EDUCAUSE-SECURITY to see if any of you have had similar experiences, and what solutions you've found. Also important to note is that IU will very soon be switching from Thawte to the InCommon Certificate Service as our commercial cert provider. These issues will persist though, since InCommon (with Comodo as their back-end cert provider) also requires a CA cert chain with intermediate certs. Thanks, Nate
Current thread:
- Intermediate Certificate Nate Johnson (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Alex Keller (Sep 09)
- Re: Certificates Michael Johnson (Sep 09)
- Re: Certificates Mark Montague (Sep 09)
- Re: Certificates Flynn, Gary - flynngn (Sep 10)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Jack Suess (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)