Attention web admins using CAH:
The SSL certificate for x500.umn.edu (the validation service for CAH
cookies) will be expiring shortly. We will be using the new InCommon CA
to issue the new cert, which means the certificate will reference a
different root CA than before.
If your implementation of CAH checks the validity of the SSL
certificates, you might want to ensure that the new root CA is trusted
by the code that is performing the SSL connection.
The Apache modules mod_cookieauth and mod_cookieauth2 do NOT validate
the SSL certificates, and will NOT be affected by this change.
Unless you specifically had to import the Thawte root cert and trust it
in the past, then probably either (1) your software is not doing cert
validation or (2) you already have the new root CA trusted. The latter
is probably true of installations with a centralized system certificate
store (e.g. Windows/IIS/.NET).
If you do need to import the new root CA, I've included it below my
signature. If you don't trust email, you can also export it from any
recent browser (the certificate name is "AddTrust External CA Root",
If you have a test instance of your server, you can try pointing your
validation code at x500-test.umn.edu (instead of x500.umn.edu), on the
usual port 87. It is already set up and configured with a certificate
issued from the new CA. However, it references the test X.500 directory
which is not fully populated, so send me email (privately) if you would
like to have your production directory entry cloned over to the test
The production certificate expires on Saturday afternoon. In an attempt
to allow folks to catch problems before the weekend, I'm planning to
install the certificate on Friday at 10am. I apologize for the late
notice; as most of our SSL certificates are browser-facing, the
supported browsers all have the new root CAs so no action is necessary.
But for a few things (such as this service), there is non-browser code
making the connection so we can't make the same assumptions.
%% Christopher A. Bongaarts %% [log in to unmask] %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
new root CA cert: