论坛: 网站建设 标题: ExpirationofVeriSignGlobalServerIDIntermediateRootCAon1/7/2004 复制本贴地址    
作者: qiuyang [qiuyang]    版主   登录
This bulletin provides you with information about the old VeriSign Global Server ID Intermediate Root CA which expired on 1/7/2004 and the actions you must take if this expiration has impacted your server.

Summary
The old VeriSign [128-bit SSL] Global Server Intermediate Root CA will expire on 1/7/2004. Servers that have not been updated with the new Global Server Intermediate Root CA will experience issues establishing SSL (https) sessions after 1/7/2004.

Note: This issue does not impact servers using VeriSign [40-bit] Secure Server ID certificates.

Who should read this bulletin?
Customers who have not installed the new VeriSign Global Server Intermediate Root CA on their server(s) or who are not sure which intermediate root CA is installed on their server(s). The new VeriSign Global Server Intermediate Root CA has the following properties:

Issued to: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by: Class 3 Public Primary Certification Authority
Valid from: 4/16/97 to 10/24/11

Specific Issue
In December, 2001, VeriSign started issuing a new Intermediate Root CA with all [128-bit SSL] Global Server IDs (GSIDs), signed by a new root certificate that expires in 2028. The new Global Server Intermediate Root CA expires in 2011.

All GSIDs VeriSign has issued since December, 2001, have included the new [2011] Global Server Intermediate Root CA. Some server software automatically updates the intermediate root CA certificate in the server certificate store, while other server software requires manual updates of the intermediate root CA. Although VeriSign has been providing instructions on how to manually install the new Global Server Intermediate Root CA to all GSID customers since December, 2001, it is possible that some customers may not have noticed the reminder and are unaware of this issue.

Error Condition
If an application uses PKI best practices, it will check that the validity periods of all certificates in the trusted chain do not overlap, and report an error accordingly. Because 24-month certificates issued after 1/8/2002 and 12-month certificates issued after 1/8/2003 would have validity periods in excess of the original Intermediate CA, when you obtained a new GSID that expired beyond 1/6/2004, your server application should have generated an error.

Solution
The solution is to update the intermediate root CA certificate store on your server(s) with the latest version of the VeriSign Global Server Intermediate Root CA. A copy of the new Intermediate Root CA (along with instructions on updating Microsoft IIS 4.0, Microsoft IIS 5.0, Apache, and Netscape 3.6) is available at the following link:
https://www.verisign.com/support/site/caReplacement.html.

We hope that this notification helps you limit the impact of the expiration of the old Global Server Intermediate Root CA on your SSL users. If you have further questions, If you have further questions, contact VeriSign support at support@verisign.com or 1-877-438-8776.

地主 发表时间: 04-01-10 11:45

论坛: 网站建设

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号