November 2010


Options: Use Proportional Font
Show HTML Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Christopher Bongaarts <[log in to unmask]>
Reply To:
UofMN Web Standards <[log in to unmask]>
Fri, 5 Nov 2010 10:56:34 -0500
text/plain (65 lines)
Christopher Bongaarts wrote:
> The new certificate has been installed.

Unfortunately this affected some high-profile applications, so I have 
temporarily reverted to the old certificate to give them a chance to get 
the new root cert in place.  I expect to reinstall the new cert later 
today or at the latest tomorrow, when the old cert expires anyway.

If anyone happened to notice apps stop working (the expected failure 
mode would be login looping - you try to log in to an application and it 
immediately kicks you back to the login page), please let the 
appropriate support people know.

> I wrote:
>> Attention web admins using CAH:
>> The SSL certificate for x500.umn.edu (the validation service for CAH 
>> cookies) will be expiring shortly.  We will be using the new InCommon 
>> CA to issue the new cert, which means the certificate will reference a 
>> different root CA than before.
>> If your implementation of CAH checks the validity of the SSL 
>> certificates, you might want to ensure that the new root CA is trusted 
>> by the code that is performing the SSL connection.
>> The Apache modules mod_cookieauth and mod_cookieauth2 do NOT validate 
>> the SSL certificates, and will NOT be affected by this change.
>> Unless you specifically had to import the Thawte root cert and trust 
>> it in the past, then probably either (1) your software is not doing 
>> cert validation or (2) you already have the new root CA trusted.  The 
>> latter is probably true of installations with a centralized system 
>> certificate store (e.g. Windows/IIS/.NET).
>> If you do need to import the new root CA, I've included it below my 
>> signature.  If you don't trust email, you can also export it from any 
>> recent browser (the certificate name is "AddTrust External CA Root", 
>> issued 05/30/2000).
>> If you have a test instance of your server, you can try pointing your 
>> validation code at x500-test.umn.edu (instead of x500.umn.edu), on the 
>> usual port 87.  It is already set up and configured with a certificate 
>> issued from the new CA.  However, it references the test X.500 
>> directory which is not fully populated, so send me email (privately) 
>> if you would like to have your production directory entry cloned over 
>> to the test directory temporarily.
>> The production certificate expires on Saturday afternoon.  In an 
>> attempt to allow folks to catch problems before the weekend, I'm 
>> planning to install the certificate on Friday at 10am.  I apologize 
>> for the late notice; as most of our SSL certificates are 
>> browser-facing, the supported browsers all have the new root CAs so no 
>> action is necessary.  But for a few things (such as this service), 
>> there is non-browser code making the connection so we can't make the 
>> same assumptions.

%%  Christopher A. Bongaarts   %%  [log in to unmask]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%