Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Critical weblogin.stanford.edu certificate update

Russ Allbery rra at stanford.edu
Mon Jul 28 11:25:44 PDT 2014


This message is only for Stanford WebAuth administrators.  Users of
WebAuth at other sites can ignore this message.

On July 29th at 5pm, we will be updating the weblogin.stanford.edu SSL
certificate, since the previous certificate is expiring.  As part of this
update, we will be switching to an InCommon-provisioned certificate.  The
ultimate trusted root CA for that certificate at the bottom of this
message.

Most operating systems will have no problem with this change.  Campus
WebAuth users should be entirely unaffected, and campus web server
adminstrators should be mostly unaffected.

The exception is administrators of systems running older operating systems
or older software, particularly Red Hat Enterprise Linux 4 and earlier and
other distributions based on those versions of RHEL.  These systems do not
have the root CA certificate used by InCommon in their trusted root CA
store.  This may also be true of other OSes of similar vintage, such as
old Solaris systems.  For those systems, the administrator will need to
add this certificate.  It must be added to the trusted CA store used by
the libcurl library, which is generally the one that OpenSSL libraries on
the system use.

On RHEL 4 systems, this should be as simple as appending the certificate
to /usr/share/ssl/certs/ca-bundle.crt.

Without this change, mod_webauth will not be able to get a service token
from the WebKDC, which means that WebAuth authentication will be disabled
for the web server after the next web server restart.  To ensure that the
change was successful, restart your web server any time after 6pm on July
29th and ensure that you can reach WebAuth-protected pages.

To test the new certificate chain in advance of this change, you can point
a non-production server at weblogin-uat.stanford.edu using the following
Apache configuration:

    WebAuthLoginURL https://weblogin-uat.stanford.edu/login
    WebAuthWebKdcURL https://weblogin-uat.stanford.edu/webkdc-service
    WebAuthWebKdcPrincipal service/webkdc-uat at stanford.edu

weblogin-uat.stanford.edu is already using the new certificate chain.

Here is the new root CA certificate, which you can also obtain from:

    https://www.incommon.org/cert/repository/AddTrustExternalCARoot.txt

C=SE
O=AddTrust AB
OU=AddTrust External TTP Network
CN=AddTrust External CA Root

-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

-- 
Russ Allbery <rra at stanford.edu>
Technical Lead, AS/ACS, Stanford University


More information about the webauth-announce mailing list