November 2010


Options: Use Monospaced Font
Show HTML Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
UofMN Web Standards <[log in to unmask]>
UofMN Net People <[log in to unmask]>
Fri, 5 Nov 2010 14:42:19 -0500
UofMN Web Standards <[log in to unmask]>
Christopher Bongaarts <[log in to unmask]>
text/plain; charset=ISO-8859-1; format=flowed
University of Minnesota
text/plain (71 lines)
Christopher Bongaarts wrote:
> Christopher Bongaarts wrote:
>> The new certificate has been installed.
> Unfortunately this affected some high-profile applications, so I have 
> temporarily reverted to the old certificate to give them a chance to get 
> the new root cert in place.  I expect to reinstall the new cert later 
> today or at the latest tomorrow, when the old cert expires anyway.

We are planning to put the new certificate back in place tomorrow, 
Saturday 11/6 at 5am.

> If anyone happened to notice apps stop working (the expected failure 
> mode would be login looping - you try to log in to an application and it 
> immediately kicks you back to the login page), please let the 
> appropriate support people know.
>> I wrote:
>>> Attention web admins using CAH:
>>> The SSL certificate for x500.umn.edu (the validation service for CAH 
>>> cookies) will be expiring shortly.  We will be using the new InCommon 
>>> CA to issue the new cert, which means the certificate will reference 
>>> a different root CA than before.
>>> If your implementation of CAH checks the validity of the SSL 
>>> certificates, you might want to ensure that the new root CA is 
>>> trusted by the code that is performing the SSL connection.
>>> The Apache modules mod_cookieauth and mod_cookieauth2 do NOT validate 
>>> the SSL certificates, and will NOT be affected by this change.
>>> Unless you specifically had to import the Thawte root cert and trust 
>>> it in the past, then probably either (1) your software is not doing 
>>> cert validation or (2) you already have the new root CA trusted.  The 
>>> latter is probably true of installations with a centralized system 
>>> certificate store (e.g. Windows/IIS/.NET).
>>> If you do need to import the new root CA, I've included it below my 
>>> signature.  If you don't trust email, you can also export it from any 
>>> recent browser (the certificate name is "AddTrust External CA Root", 
>>> issued 05/30/2000).
>>> If you have a test instance of your server, you can try pointing your 
>>> validation code at x500-test.umn.edu (instead of x500.umn.edu), on 
>>> the usual port 87.  It is already set up and configured with a 
>>> certificate issued from the new CA.  However, it references the test 
>>> X.500 directory which is not fully populated, so send me email 
>>> (privately) if you would like to have your production directory entry 
>>> cloned over to the test directory temporarily.
>>> The production certificate expires on Saturday afternoon.  In an 
>>> attempt to allow folks to catch problems before the weekend, I'm 
>>> planning to install the certificate on Friday at 10am.  I apologize 
>>> for the late notice; as most of our SSL certificates are 
>>> browser-facing, the supported browsers all have the new root CAs so 
>>> no action is necessary.  But for a few things (such as this service), 
>>> there is non-browser code making the connection so we can't make the 
>>> same assumptions.

%%  Christopher A. Bongaarts   %%  [log in to unmask]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%