 rolandeCertifiablePremium,Mod
join:2002-05-24
Columbus, OH
Linksys
AT&T Midwest
| Application impact I work for a large financial institution and we ran into production outages due to the expired intermediate CA certificate. The issue was not the web interfaces themselves. We renew our certificates on a yearly basis, so the associated intermediate certificate was updated throughout this past year on the majority of our frontend sites. The problems were really on backend application servers where various components would talk between servers using SSL. Those components could no longer establish their SSL sessions once the certificate expired. Noone thought to look at all the application software that was using certificates that were tied to this old intermediate certificate. It slipped under the radar somehow.
Personally, I don't feel that Verisign did enough to warn their customers and make a big enough deal about it. Because of that most customers missed the warnings or weren't sure how they would be affected. Even as of yesterday you still had to find the link buried on Verisign's support page and there was no flashing bold red notice on their main page anywhere. In our case, our certificates are managed by a central internal security team. They would have received any notices in their group mailbox, since all of our certificates have their contact information listed. They did not forward this information on to any of the internal groups that handle the various applications and webservers. Communication breakdown. I don't think they understood the potential impact and so they didn't think we would have any problems.
Beyond not providing sufficient warning, Verisign did not fully explain that if you were running with the old intermediate certificate that you could just update it and not affect existing certificates signed after a certain date. This information again was buried deep. I was under the impression that if a site certificate was running with the old intermediate certificate that you could not use the new intermediate cert until the existing site certificate was renewed.
So, I got to work until 1AM that night supporting our various application teams even though this issue was not under my area. You know the network is always to blame, so the network guys always have to be there to solve the problems... So the next intermediate certificate expires on 10/24/2011 and the Root CA expires on 8/1/2028. I am putting a note in my calendar to plan a good week of vacation around the first date and at least 2 weeks around the second date. 
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't." |
