WEBSTANDARDS Archives

November 2010

WEBSTANDARDS@LISTS.UMN.EDU

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Christopher Bongaarts <[log in to unmask]>
Reply To:
UofMN Web Standards <[log in to unmask]>
Date:
Wed, 3 Nov 2010 13:05:44 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (73 lines)
Attention web admins using CAH:

The SSL certificate for x500.umn.edu (the validation service for CAH
cookies) will be expiring shortly.  We will be using the new InCommon CA
to issue the new cert, which means the certificate will reference a
different root CA than before.

If your implementation of CAH checks the validity of the SSL
certificates, you might want to ensure that the new root CA is trusted
by the code that is performing the SSL connection.

The Apache modules mod_cookieauth and mod_cookieauth2 do NOT validate
the SSL certificates, and will NOT be affected by this change.

Unless you specifically had to import the Thawte root cert and trust it
in the past, then probably either (1) your software is not doing cert
validation or (2) you already have the new root CA trusted.  The latter
is probably true of installations with a centralized system certificate
store (e.g. Windows/IIS/.NET).

If you do need to import the new root CA, I've included it below my
signature.  If you don't trust email, you can also export it from any
recent browser (the certificate name is "AddTrust External CA Root",
issued 05/30/2000).

If you have a test instance of your server, you can try pointing your
validation code at x500-test.umn.edu (instead of x500.umn.edu), on the
usual port 87.  It is already set up and configured with a certificate
issued from the new CA.  However, it references the test X.500 directory
which is not fully populated, so send me email (privately) if you would
like to have your production directory entry cloned over to the test
directory temporarily.

The production certificate expires on Saturday afternoon.  In an attempt
to allow folks to catch problems before the weekend, I'm planning to
install the certificate on Friday at 10am.  I apologize for the late
notice; as most of our SSL certificates are browser-facing, the
supported browsers all have the new root CAs so no action is necessary.
  But for a few things (such as this service), there is non-browser code
making the connection so we can't make the same assumptions.

-- 
%%  Christopher A. Bongaarts   %%  [log in to unmask]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

new root CA cert:
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

ATOM RSS1 RSS2