Ok. So it looks like we probably won't be using ipsCA afterall (at
least not any time soon). We were currently testing it only,
thanks
Karen
Jon Warbrick wrote:
> On Tue, 8 Dec 2009, Karen Murphy wrote:
>
>
>> Hi Duncan, I'm currently testing with a free edu wildcard ipsCA certificate
>> which I got last month....
>> When I view the attributes with openssl of the chain file I downloaded I see
>> it doesn't expire til 29th December 2025....
>>
>> openssl x509 -text -noout -in 00000002.ca
>>
>> Certificate:
>> Data:
>> ....
>> Issuer: C=ES, ST=BARCELONA, L=BARCELONA, O=IPS Seguridad CA,
>> OU=Certificaciones, CN=IPS [log in to unmask]
>> Validity
>> Not Before: Dec 30 13:36:11 2001 GMT
>> Not After : Dec 29 13:36:11 2025 GMT
>>
>
> A certificate contains, amongst other things, validity dates and a
> reference to a further certificate (which OpenSSL describes as 'Issuer')
> containing the public half of the key that signed it. To establish
> validity, clients should check that the certificate itself has not expired
> and that the certificate representing the signer is also valid. This
> proceeds recursively if necessary until it reaches a (typically
> self-signed) root certificate that the client has been manually configured
> to trust (or was pre-configured to trust on installation).
>
> In OpenSSL's display, 'Validity' refers to the certificate being
> displayed. So in this case you have a certificate that expires 'Dec 29
> 13:36:11 2025' and was signed by the key identified as
>
> C=ES, ST=BARCELONA, L=BARCELONA, O=IPS Seguridad CA,
> OU=Certificaciones, CN=IPS [log in to unmask]
>
> While you may also have a copy of a certificate for this key, that's
> largely irrelevant because what matters is what clients have been
> configured to trust. If you think about it, you can't supply the root of a
> trust hierarchy while trying to prove your identity because that won't
> actually prove anything. Looking in the trusted certificate store in my
> copy of Firefox I can see a relevant certificate and it does indeed expire
> '29/12/09 23:21:07'.
>
> So while your certificate doesn't expire until Dec 29 13:36:11 2025, my
> browser, and I suspect most others, should refuse to validate it after
> 29/12/09 23:21:07'. Note that there is little you can do about this now -
> what was is needed was for a new trusted root certificate to have been
> distributed via whatever trusted channel is normally used for browser
> updates, and for this to be complete for all you users in the next 21
> days!
>
> Jon.
>
>
--
*Karen Murphy*
Systems Analyst - Bibliographic Services
The Library at Queen's
10 College Park, University Road
Queen's University Belfast
Belfast BT7 1LP
Tel: 028 90976260
Email: [log in to unmask]
|