Christopher Bongaarts wrote: > Christopher Bongaarts wrote: >> The new certificate has been installed. > > Unfortunately this affected some high-profile applications, so I have > temporarily reverted to the old certificate to give them a chance to get > the new root cert in place. I expect to reinstall the new cert later > today or at the latest tomorrow, when the old cert expires anyway. We are planning to put the new certificate back in place tomorrow, Saturday 11/6 at 5am. > If anyone happened to notice apps stop working (the expected failure > mode would be login looping - you try to log in to an application and it > immediately kicks you back to the login page), please let the > appropriate support people know. > >> I wrote: >>> Attention web admins using CAH: >>> >>> The SSL certificate for x500.umn.edu (the validation service for CAH >>> cookies) will be expiring shortly. We will be using the new InCommon >>> CA to issue the new cert, which means the certificate will reference >>> a different root CA than before. >>> >>> If your implementation of CAH checks the validity of the SSL >>> certificates, you might want to ensure that the new root CA is >>> trusted by the code that is performing the SSL connection. >>> >>> The Apache modules mod_cookieauth and mod_cookieauth2 do NOT validate >>> the SSL certificates, and will NOT be affected by this change. >>> >>> Unless you specifically had to import the Thawte root cert and trust >>> it in the past, then probably either (1) your software is not doing >>> cert validation or (2) you already have the new root CA trusted. The >>> latter is probably true of installations with a centralized system >>> certificate store (e.g. Windows/IIS/.NET). >>> >>> If you do need to import the new root CA, I've included it below my >>> signature. If you don't trust email, you can also export it from any >>> recent browser (the certificate name is "AddTrust External CA Root", >>> issued 05/30/2000). >>> >>> If you have a test instance of your server, you can try pointing your >>> validation code at x500-test.umn.edu (instead of x500.umn.edu), on >>> the usual port 87. It is already set up and configured with a >>> certificate issued from the new CA. However, it references the test >>> X.500 directory which is not fully populated, so send me email >>> (privately) if you would like to have your production directory entry >>> cloned over to the test directory temporarily. >>> >>> The production certificate expires on Saturday afternoon. In an >>> attempt to allow folks to catch problems before the weekend, I'm >>> planning to install the certificate on Friday at 10am. I apologize >>> for the late notice; as most of our SSL certificates are >>> browser-facing, the supported browsers all have the new root CAs so >>> no action is necessary. But for a few things (such as this service), >>> there is non-browser code making the connection so we can't make the >>> same assumptions. >>> >> >> > > -- %% Christopher A. Bongaarts %% [log in to unmask] %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %%