WEBSTANDARDS Archives

November 2010

WEBSTANDARDS@LISTS.UMN.EDU

Options: Use Monospaced Font
Show HTML Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Christopher Bongaarts <[log in to unmask]>
Reply To:
UofMN Web Standards <[log in to unmask]>
Date:
Fri, 5 Nov 2010 10:09:38 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (51 lines)
The new certificate has been installed.

I wrote:
> Attention web admins using CAH:
> 
> The SSL certificate for x500.umn.edu (the validation service for CAH 
> cookies) will be expiring shortly.  We will be using the new InCommon CA 
> to issue the new cert, which means the certificate will reference a 
> different root CA than before.
> 
> If your implementation of CAH checks the validity of the SSL 
> certificates, you might want to ensure that the new root CA is trusted 
> by the code that is performing the SSL connection.
> 
> The Apache modules mod_cookieauth and mod_cookieauth2 do NOT validate 
> the SSL certificates, and will NOT be affected by this change.
> 
> Unless you specifically had to import the Thawte root cert and trust it 
> in the past, then probably either (1) your software is not doing cert 
> validation or (2) you already have the new root CA trusted.  The latter 
> is probably true of installations with a centralized system certificate 
> store (e.g. Windows/IIS/.NET).
> 
> If you do need to import the new root CA, I've included it below my 
> signature.  If you don't trust email, you can also export it from any 
> recent browser (the certificate name is "AddTrust External CA Root", 
> issued 05/30/2000).
> 
> If you have a test instance of your server, you can try pointing your 
> validation code at x500-test.umn.edu (instead of x500.umn.edu), on the 
> usual port 87.  It is already set up and configured with a certificate 
> issued from the new CA.  However, it references the test X.500 directory 
> which is not fully populated, so send me email (privately) if you would 
> like to have your production directory entry cloned over to the test 
> directory temporarily.
> 
> The production certificate expires on Saturday afternoon.  In an attempt 
> to allow folks to catch problems before the weekend, I'm planning to 
> install the certificate on Friday at 10am.  I apologize for the late 
> notice; as most of our SSL certificates are browser-facing, the 
> supported browsers all have the new root CAs so no action is necessary. 
>  But for a few things (such as this service), there is non-browser code 
> making the connection so we can't make the same assumptions.
> 


-- 
%%  Christopher A. Bongaarts   %%  [log in to unmask]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

ATOM RSS1 RSS2