Re: Intermediate Certificate

["Yonesy F. Nunez" <yonesy.nunez () NEWSCHOOL EDU>]

We had this issue about 3 weeks ago when we renewed one of our main systems.
Suffice it to say the system did not fall into the cookie-cutter category
and it took us a couple of days to track down the solution for properly
updating the certificate chain on that system.  I suggest that the folks
that have not done this yet to take an inventory of all their systems and
ensure that they have all the steps in place for updating the TCRA with the
subordinate/intermediate CA.  The solution is to ensure that you are able to
successfully update the TCRA for each of your systems.  It's a good thing
that these events don't happen too often.

Best regards,

Yonesy

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nate Johnson
Sent: Thursday, September 09, 2010 4:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Intermediate Certificate

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IU has been a subscriber to the Thawte Certificate Center Enterprise
Accounts (formerly SPKI) for several years now. Thawte recently switched
from a model of issuing SSL server certs signed by a single trusted root
CA cert to a new model of issuing certs signed by an intermediate
(subordinate) CA cert that is signed by a root CA cert.

The change has caused problems for some of our customers since it now
requires them to install the certificate chain of both the intermediate
and root certs as well as their server cert. Maybe in a year or so, all
the mainstream OS's, browsers, email clients, etc, will catch up and
include the entire chain by default and these certs will just work
automatically. For now we have a support issue on our hands.

As far as we can tell intermediate CA's are first mentioned in RFC 1422,
dated Feb 1993. So this is not a new concept. Comodo, InstantSSL,
Verisign, Globalsign, Godaddy, Digicert and ipsCA all require sysadmins to
install cert chains with intermediate certs.

Thawte's support documentation includes easy to understand instructions
for all the mainstream web servers, which we have just pointed to in our
FAQ and included in our email alerts. And although the security office
doesn't have the staff or resources to test and document these issues on
all the other myriad of services our customers are installing these certs
on, we have successfully helped them track down documentation for some
like Cyrus imapd, Sendmail and MySQL.

Services that are just beyond our ability to provide support for are
things like Active Directory LDAP from non-Windows systems, Blackberry
services, service-to-service interactions like PeopleSoft/Oracle and
loadbalancers (like Zeus and BigIP).

We're writing to EDUCAUSE-SECURITY to see if any of you have had similar
experiences, and what solutions you've found.

Also important to note is that IU will very soon be switching from Thawte
to the InCommon Certificate Service as our commercial cert provider. These
issues will persist though, since InCommon (with Comodo as their back-end
cert provider) also requires a CA cert chain with intermediate certs.

Thanks,
Nate

- -- 
* Nate Johnson, Principal Security Engineer, GCIH, GCFA
* University Information Security Office, Indiana University
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyJQzwACgkQGQUVGJudcw71DgCdHe+37IhMQ9T/E7hhihT29CXX
Jf4AnRYZypMadDLrWlm0t+1PxzHNE9Ei
=DXsW
-----END PGP SIGNATURE-----