Subject: | |
From: | |
Reply To: | |
Date: | Fri, 5 Nov 2010 14:42:19 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Christopher Bongaarts wrote:
> Christopher Bongaarts wrote:
>> The new certificate has been installed.
>
> Unfortunately this affected some high-profile applications, so I have
> temporarily reverted to the old certificate to give them a chance to get
> the new root cert in place. I expect to reinstall the new cert later
> today or at the latest tomorrow, when the old cert expires anyway.
We are planning to put the new certificate back in place tomorrow,
Saturday 11/6 at 5am.
> If anyone happened to notice apps stop working (the expected failure
> mode would be login looping - you try to log in to an application and it
> immediately kicks you back to the login page), please let the
> appropriate support people know.
>
>> I wrote:
>>> Attention web admins using CAH:
>>>
>>> The SSL certificate for x500.umn.edu (the validation service for CAH
>>> cookies) will be expiring shortly. We will be using the new InCommon
>>> CA to issue the new cert, which means the certificate will reference
>>> a different root CA than before.
>>>
>>> If your implementation of CAH checks the validity of the SSL
>>> certificates, you might want to ensure that the new root CA is
>>> trusted by the code that is performing the SSL connection.
>>>
>>> The Apache modules mod_cookieauth and mod_cookieauth2 do NOT validate
>>> the SSL certificates, and will NOT be affected by this change.
>>>
>>> Unless you specifically had to import the Thawte root cert and trust
>>> it in the past, then probably either (1) your software is not doing
>>> cert validation or (2) you already have the new root CA trusted. The
>>> latter is probably true of installations with a centralized system
>>> certificate store (e.g. Windows/IIS/.NET).
>>>
>>> If you do need to import the new root CA, I've included it below my
>>> signature. If you don't trust email, you can also export it from any
>>> recent browser (the certificate name is "AddTrust External CA Root",
>>> issued 05/30/2000).
>>>
>>> If you have a test instance of your server, you can try pointing your
>>> validation code at x500-test.umn.edu (instead of x500.umn.edu), on
>>> the usual port 87. It is already set up and configured with a
>>> certificate issued from the new CA. However, it references the test
>>> X.500 directory which is not fully populated, so send me email
>>> (privately) if you would like to have your production directory entry
>>> cloned over to the test directory temporarily.
>>>
>>> The production certificate expires on Saturday afternoon. In an
>>> attempt to allow folks to catch problems before the weekend, I'm
>>> planning to install the certificate on Friday at 10am. I apologize
>>> for the late notice; as most of our SSL certificates are
>>> browser-facing, the supported browsers all have the new root CAs so
>>> no action is necessary. But for a few things (such as this service),
>>> there is non-browser code making the connection so we can't make the
>>> same assumptions.
>>>
>>
>>
>
>
--
%% Christopher A. Bongaarts %% [log in to unmask] %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
|
|
|