Re: [CODE4LIB] ipsCA Certs
Yes, you are right. I'm afraid we are using ipsCA certs, and using the 'updated' certs (that is, those that have not expired) are still not trusted by Firefox. Or Opera or Safari. They are trusted by IE7. Haven't tested IE6. Godmar Back wrote: Hi, in my role as unpaid tech advisor for our local library, may I ask a question about the ipsCA issue? Is my understanding correct that ipsCA currently reissues certificates [1] signed with a root CA that is not yet in Mozilla products, due to IPS's delaying the necessary vetting process [2]? In other words, Mozilla users would see security warnings even if a reissued certificate was used? The reason I'm confused is that I, like David, saw a number of still valid certificates from "IPS Internet publishing Services s.l." already shipping with Firefox, alongside the now-expired certificate. But I suppose those certificates are for something else and the reissued certificates won't be signed using them? Thanks, - Godmar [2] https://bugzilla.mozilla.org/show_bug.cgi?id=529286 [1] http://certs.ipsca.com/Support/hierarchy-ipsca.asp On Thu, Dec 17, 2009 at 4:02 PM, John Wynstra wrote: Out of curiosity, did anyone else using ipsCA certs receive notification that due to the coming expiration of their root CA (December 29,2009), they would need a reissued cert under a new root CA? I am uncertain as to how this new Root CA will become a part of the browsers trusted roots without some type of user action including a software upgrade, but the following library website instructions lead me to believe that this is not going to be smooth. http://bit.ly/53Npel We are just about to go live with EZProxy in January with an ipsCA cert issued a few months ago, and I am not about to do that if I have serious browser support issue. -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><>
Re: [CODE4LIB] ipsCA Certs
I think you are correct. I and another library went and got a re-issued cert from ipsCA, stuck it in ezproxy, and found that Firefox as well as opera gave a security warning. (Actually, Opera never did work with the old ipsCA cert either.) There is also correspondence between Mozilla and ipsCA, culminating in a note that Mozilla won't be activating the ipsCA cert, since they are past the deadline. I was interested from the language that there seemed to be a way of activating certs rather than just putting them in there; perhaps you are seeing "inactive" certs from ipsCA? -Original Message- From: Code for Libraries [mailto:code4...@listserv.nd.edu] On Behalf Of Godmar Back Sent: Monday, January 04, 2010 2:52 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] ipsCA Certs Hi, in my role as unpaid tech advisor for our local library, may I ask a question about the ipsCA issue? Is my understanding correct that ipsCA currently reissues certificates [1] signed with a root CA that is not yet in Mozilla products, due to IPS's delaying the necessary vetting process [2]? In other words, Mozilla users would see security warnings even if a reissued certificate was used? The reason I'm confused is that I, like David, saw a number of still valid certificates from "IPS Internet publishing Services s.l." already shipping with Firefox, alongside the now-expired certificate. But I suppose those certificates are for something else and the reissued certificates won't be signed using them? Thanks, - Godmar [2] https://bugzilla.mozilla.org/show_bug.cgi?id=529286 [1] http://certs.ipsca.com/Support/hierarchy-ipsca.asp On Thu, Dec 17, 2009 at 4:02 PM, John Wynstra wrote: > Out of curiosity, did anyone else using ipsCA certs receive notification > that due to the coming expiration of their root CA (December 29,2009), they > would need a reissued cert under a new root CA? > > I am uncertain as to how this new Root CA will become a part of the > browsers trusted roots without some type of user action including a software > upgrade, but the following library website instructions lead me to believe > that this is not going to be smooth. http://bit.ly/53Npel > > We are just about to go live with EZProxy in January with an ipsCA cert > issued a few months ago, and I am not about to do that if I have serious > browser support issue. > > > -- > <><><><><><><><><><><><><><><><><><><> > John Wynstra > Library Information Systems Specialist > Rod Library > University of Northern Iowa > Cedar Falls, IA 50613 > wyns...@uni.edu > (319)273-6399 > <><><><><><><><><><><><><><><><><><><> >
Re: [CODE4LIB] ipsCA Certs
Hi, in my role as unpaid tech advisor for our local library, may I ask a question about the ipsCA issue? Is my understanding correct that ipsCA currently reissues certificates [1] signed with a root CA that is not yet in Mozilla products, due to IPS's delaying the necessary vetting process [2]? In other words, Mozilla users would see security warnings even if a reissued certificate was used? The reason I'm confused is that I, like David, saw a number of still valid certificates from "IPS Internet publishing Services s.l." already shipping with Firefox, alongside the now-expired certificate. But I suppose those certificates are for something else and the reissued certificates won't be signed using them? Thanks, - Godmar [2] https://bugzilla.mozilla.org/show_bug.cgi?id=529286 [1] http://certs.ipsca.com/Support/hierarchy-ipsca.asp On Thu, Dec 17, 2009 at 4:02 PM, John Wynstra wrote: > Out of curiosity, did anyone else using ipsCA certs receive notification > that due to the coming expiration of their root CA (December 29,2009), they > would need a reissued cert under a new root CA? > > I am uncertain as to how this new Root CA will become a part of the > browsers trusted roots without some type of user action including a software > upgrade, but the following library website instructions lead me to believe > that this is not going to be smooth. http://bit.ly/53Npel > > We are just about to go live with EZProxy in January with an ipsCA cert > issued a few months ago, and I am not about to do that if I have serious > browser support issue. > > > -- > <><><><><><><><><><><><><><><><><><><> > John Wynstra > Library Information Systems Specialist > Rod Library > University of Northern Iowa > Cedar Falls, IA 50613 > wyns...@uni.edu > (319)273-6399 > <><><><><><><><><><><><><><><><><><><> >
Re: [CODE4LIB] ipsCA Certs
Whew. Just survived an Ubuntu dist-upgrade which broke our Apache SSL virtual hosts configuration. I had thought the foulup on the test server was because we were testing various certs in the wake of the root CA expiration! We estimate that 15-25% of our users will be affected (the new root CA seems to work in Google Chrome as well as IE), and that a new wildcart cert could be had for $40 or $80 from StartSSL for two years - not quite sure yet what level verification we'd need, hence the 40/80 doubt. We're running multiple name-based hosts at one IP address (for encryption), hence the reliance on the wildcart cert. We could conceivably get more IP addresses, but I don't know if I want to take that one up with IT. Methinks we're going to try scraping together 40/80 bucks, which isn't as simple here as it may sound. Twitter's been very helpful in keeping up with this. -- Yitzchak Schaffer Systems Manager Touro College Libraries 33 West 23rd Street New York, NY 10010 Tel (212) 463-0400 x5230 Fax (212) 627-3197 Email yitzchak.schaf...@gmx.com Access Problems? Contact systems.libr...@touro.edu
Re: [CODE4LIB] ipsCA Certs
john, we had the same problem. we ended up buying from another vendor last minute as this wasn't going to be a smooth process i can't believe they didn't give us all more notice John Wynstra wrote: Out of curiosity, did anyone else using ipsCA certs receive notification that due to the coming expiration of their root CA (December 29,2009), they would need a reissued cert under a new root CA? I am uncertain as to how this new Root CA will become a part of the browsers trusted roots without some type of user action including a software upgrade, but the following library website instructions lead me to believe that this is not going to be smooth. http://bit.ly/53Npel We are just about to go live with EZProxy in January with an ipsCA cert issued a few months ago, and I am not about to do that if I have serious browser support issue.
Re: [CODE4LIB] ipsCA Certs
On Fri, Dec 18, 2009 at 11:46 AM, John Wynstra wrote: > We are going with either Thawte or Digicert since our campus already has > certs from these Vendors. My personal experience has been with Thawte, but > not with their wildcard certs. Depending on how cheap "cheap" needs to be, I've actually had good experiences with GoDaddy's wildcard certs. Their site is irritating, but they're cheap and probably aren't gonna die tomorrow. Cheers, -Nate
Re: [CODE4LIB] ipsCA Certs
The following from EZProxy list offers some info along these lines. http://ls.suny.edu/read/archive?id=1183059 The vendor recommended in this post appears to be a reseller(maybe owner) of multiple certs including Verisign and Thawte from what I can tell. We are going with either Thawte or Digicert since our campus already has certs from these Vendors. My personal experience has been with Thawte, but not with their wildcard certs. Yitzchak Schaffer wrote: On 12/18/2009 12:03 PM, John Wynstra wrote: We are going to purchase a certificate elseware, because we can't wait for ipsCA root Cert to get into popular browsers. Ergh. Anyone have any fresh research on cheap education wildcard certs? We're using SSL on three (soon to be four) publicly-used hosts. TLD is .org though. -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><>
Re: [CODE4LIB] ipsCA Certs
On 12/18/2009 12:03 PM, John Wynstra wrote: We are going to purchase a certificate elseware, because we can't wait for ipsCA root Cert to get into popular browsers. Ergh. Anyone have any fresh research on cheap education wildcard certs? We're using SSL on three (soon to be four) publicly-used hosts. TLD is .org though. -- Yitzchak Schaffer Systems Manager Touro College Libraries 33 West 23rd Street New York, NY 10010 Tel (212) 463-0400 x5230 Fax (212) 627-3197 Email yitzchak.schaf...@gmx.com Access Problems? Contact systems.libr...@touro.edu
Re: [CODE4LIB] ipsCA Certs
I'm done with the worry part at this point. We are going to purchase a certificate elseware, because we can't wait for ipsCA root Cert to get into popular browsers. It creates a really bad user experience if our users are getting what seem to them to be "WARNING--YOUR ARE ABOUT TO DIE" messages from their browser when coming through or to our site. If we train them that it is OK to make an exception for our cert, we are doing them a disservice and training them to take risks. I know other server admins on campus are purchasing certs also. I wish I was in the certificate business today--not really. Tim McGeary wrote: I'm a little dismayed at the eleventh hour posting of the email. It makes it feel illegitimate, but I have had other confirmation that it is legit, too. Another thing to worry about before Christmas... Tim McGeary Team Leader, Library Technology Lehigh University 610-758-4998 tim.mcge...@lehigh.edu timmcge...@gmail.com GTalk/Yahoo/Skype: timmcgeary Walker, David wrote: I see now that I'm looking at the intermediate certificate. The root does expire in 2009. Nevermind. :-) --Dave == David Walker Library Web Services Manager California State University http://xerxes.calstate.edu From: Walker, David Sent: Thursday, December 17, 2009 1:40 PM To: Code for Libraries Subject: RE: [CODE4LIB] ipsCA Certs Hi John, I also got this email. We also recently installed an ipsCA wildcard cert for a test EZProxy install. Looking at the details of our ipsCA wildcard certificate in Firefox, though, I can see the chain of certificates going up to the root ipsCA cert. Firefox says that that root certificate -- ipsCA CLASEA1 Certificate Authority -- is good until 2025. I see the same thing in IE, Safari, and I assume every other browser I might check. Do you see that too? --Dave == David Walker Library Web Services Manager California State University http://xerxes.calstate.edu From: Code for Libraries [code4...@listserv.nd.edu] On Behalf Of John Wynstra [john.wyns...@uni.edu] Sent: Thursday, December 17, 2009 1:02 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: [CODE4LIB] ipsCA Certs Out of curiosity, did anyone else using ipsCA certs receive notification that due to the coming expiration of their root CA (December 29,2009), they would need a reissued cert under a new root CA? I am uncertain as to how this new Root CA will become a part of the browsers trusted roots without some type of user action including a software upgrade, but the following library website instructions lead me to believe that this is not going to be smooth. http://bit.ly/53Npel We are just about to go live with EZProxy in January with an ipsCA cert issued a few months ago, and I am not about to do that if I have serious browser support issue. -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><> -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><>
Re: [CODE4LIB] ipsCA Certs
I'm a little dismayed at the eleventh hour posting of the email. It makes it feel illegitimate, but I have had other confirmation that it is legit, too. Another thing to worry about before Christmas... Tim McGeary Team Leader, Library Technology Lehigh University 610-758-4998 tim.mcge...@lehigh.edu timmcge...@gmail.com GTalk/Yahoo/Skype: timmcgeary Walker, David wrote: I see now that I'm looking at the intermediate certificate. The root does expire in 2009. Nevermind. :-) --Dave == David Walker Library Web Services Manager California State University http://xerxes.calstate.edu From: Walker, David Sent: Thursday, December 17, 2009 1:40 PM To: Code for Libraries Subject: RE: [CODE4LIB] ipsCA Certs Hi John, I also got this email. We also recently installed an ipsCA wildcard cert for a test EZProxy install. Looking at the details of our ipsCA wildcard certificate in Firefox, though, I can see the chain of certificates going up to the root ipsCA cert. Firefox says that that root certificate -- ipsCA CLASEA1 Certificate Authority -- is good until 2025. I see the same thing in IE, Safari, and I assume every other browser I might check. Do you see that too? --Dave == David Walker Library Web Services Manager California State University http://xerxes.calstate.edu From: Code for Libraries [code4...@listserv.nd.edu] On Behalf Of John Wynstra [john.wyns...@uni.edu] Sent: Thursday, December 17, 2009 1:02 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: [CODE4LIB] ipsCA Certs Out of curiosity, did anyone else using ipsCA certs receive notification that due to the coming expiration of their root CA (December 29,2009), they would need a reissued cert under a new root CA? I am uncertain as to how this new Root CA will become a part of the browsers trusted roots without some type of user action including a software upgrade, but the following library website instructions lead me to believe that this is not going to be smooth. http://bit.ly/53Npel We are just about to go live with EZProxy in January with an ipsCA cert issued a few months ago, and I am not about to do that if I have serious browser support issue. -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><>
Re: [CODE4LIB] ipsCA Certs
I see now that I'm looking at the intermediate certificate. The root does expire in 2009. Nevermind. :-) --Dave == David Walker Library Web Services Manager California State University http://xerxes.calstate.edu From: Walker, David Sent: Thursday, December 17, 2009 1:40 PM To: Code for Libraries Subject: RE: [CODE4LIB] ipsCA Certs Hi John, I also got this email. We also recently installed an ipsCA wildcard cert for a test EZProxy install. Looking at the details of our ipsCA wildcard certificate in Firefox, though, I can see the chain of certificates going up to the root ipsCA cert. Firefox says that that root certificate -- ipsCA CLASEA1 Certificate Authority -- is good until 2025. I see the same thing in IE, Safari, and I assume every other browser I might check. Do you see that too? --Dave == David Walker Library Web Services Manager California State University http://xerxes.calstate.edu From: Code for Libraries [code4...@listserv.nd.edu] On Behalf Of John Wynstra [john.wyns...@uni.edu] Sent: Thursday, December 17, 2009 1:02 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: [CODE4LIB] ipsCA Certs Out of curiosity, did anyone else using ipsCA certs receive notification that due to the coming expiration of their root CA (December 29,2009), they would need a reissued cert under a new root CA? I am uncertain as to how this new Root CA will become a part of the browsers trusted roots without some type of user action including a software upgrade, but the following library website instructions lead me to believe that this is not going to be smooth. http://bit.ly/53Npel We are just about to go live with EZProxy in January with an ipsCA cert issued a few months ago, and I am not about to do that if I have serious browser support issue. -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><>
Re: [CODE4LIB] ipsCA Certs
Hi John, I also got this email. We also recently installed an ipsCA wildcard cert for a test EZProxy install. Looking at the details of our ipsCA wildcard certificate in Firefox, though, I can see the chain of certificates going up to the root ipsCA cert. Firefox says that that root certificate -- ipsCA CLASEA1 Certificate Authority -- is good until 2025. I see the same thing in IE, Safari, and I assume every other browser I might check. Do you see that too? --Dave == David Walker Library Web Services Manager California State University http://xerxes.calstate.edu From: Code for Libraries [code4...@listserv.nd.edu] On Behalf Of John Wynstra [john.wyns...@uni.edu] Sent: Thursday, December 17, 2009 1:02 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: [CODE4LIB] ipsCA Certs Out of curiosity, did anyone else using ipsCA certs receive notification that due to the coming expiration of their root CA (December 29,2009), they would need a reissued cert under a new root CA? I am uncertain as to how this new Root CA will become a part of the browsers trusted roots without some type of user action including a software upgrade, but the following library website instructions lead me to believe that this is not going to be smooth. http://bit.ly/53Npel We are just about to go live with EZProxy in January with an ipsCA cert issued a few months ago, and I am not about to do that if I have serious browser support issue. -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><>
Re: [CODE4LIB] ipsCA Certs
Thanks Amy. I'll join that list. Would have been a more appropriate place for this post. Weidner, Amy wrote: Hi, John. I sure did. Looks like the email is legit. Lots of talk about it on the ezproxy listserv today, here's the archive: http://ls.suny.edu/read/?forum=ezproxy&sb=1 In short from those who have installed the new cert, there are no problems with IE but Firefox, Safari and Chrome are experiencing certificate warnings. HTH Amy Weidner Digital Resources Librarian Benedictine University 630/ 829.6066 630/ 960.9451 (fax) aweid...@ben.edu -Original Message- From: Code for Libraries [mailto:code4...@listserv.nd.edu] On Behalf Of John Wynstra Sent: Thursday, December 17, 2009 3:02 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: [CODE4LIB] ipsCA Certs Out of curiosity, did anyone else using ipsCA certs receive notification that due to the coming expiration of their root CA (December 29,2009), they would need a reissued cert under a new root CA? I am uncertain as to how this new Root CA will become a part of the browsers trusted roots without some type of user action including a software upgrade, but the following library website instructions lead me to believe that this is not going to be smooth. http://bit.ly/53Npel We are just about to go live with EZProxy in January with an ipsCA cert issued a few months ago, and I am not about to do that if I have serious browser support issue. -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><>
Re: [CODE4LIB] ipsCA Certs
Hi, John. I sure did. Looks like the email is legit. Lots of talk about it on the ezproxy listserv today, here's the archive: http://ls.suny.edu/read/?forum=ezproxy&sb=1 In short from those who have installed the new cert, there are no problems with IE but Firefox, Safari and Chrome are experiencing certificate warnings. HTH Amy Weidner Digital Resources Librarian Benedictine University 630/ 829.6066 630/ 960.9451 (fax) aweid...@ben.edu -Original Message- From: Code for Libraries [mailto:code4...@listserv.nd.edu] On Behalf Of John Wynstra Sent: Thursday, December 17, 2009 3:02 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: [CODE4LIB] ipsCA Certs Out of curiosity, did anyone else using ipsCA certs receive notification that due to the coming expiration of their root CA (December 29,2009), they would need a reissued cert under a new root CA? I am uncertain as to how this new Root CA will become a part of the browsers trusted roots without some type of user action including a software upgrade, but the following library website instructions lead me to believe that this is not going to be smooth. http://bit.ly/53Npel We are just about to go live with EZProxy in January with an ipsCA cert issued a few months ago, and I am not about to do that if I have serious browser support issue. -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><>
[CODE4LIB] ipsCA Certs
Out of curiosity, did anyone else using ipsCA certs receive notification that due to the coming expiration of their root CA (December 29,2009), they would need a reissued cert under a new root CA? I am uncertain as to how this new Root CA will become a part of the browsers trusted roots without some type of user action including a software upgrade, but the following library website instructions lead me to believe that this is not going to be smooth. http://bit.ly/53Npel We are just about to go live with EZProxy in January with an ipsCA cert issued a few months ago, and I am not about to do that if I have serious browser support issue. -- <><><><><><><><><><><><><><><><><><><> John Wynstra Library Information Systems Specialist Rod Library University of Northern Iowa Cedar Falls, IA 50613 wyns...@uni.edu (319)273-6399 <><><><><><><><><><><><><><><><><><><>
