 |
Advisories |
|
|
CA Update: Secure Site and Managed PKI for SSL Standard Certificate
June, 2006
During 2006, VeriSign will be completing the
migration of Retail Secure Site certificates and Managed PKI for SSL
Standard SSL Certificates from a single-tier certificate hierarchy to
a new, more secure two-tier hierarchy under the Class 3 Public Primary
Root Certification Authority (PCA).
Up until May 2005 all retail Secure Site Certificates
were signed directly by the VeriSign/RSA root. In May 2005 VeriSign
introduced a new 2048 bit VeriSign Class 3 Secure Server CA and began
using it to sign Secure Site Certificates obtained through www.verisign.ch
for customers using IIS web servers. The rollout to IIS customers went
smoothly and was transparent to Secure Site Certificate customers.
The VeriSign/RSA root expires in January 2010
and it is important that the migration off this root is completed well
before that date. VeriSign will be rolling out this new 2048 bit VeriSign
Class 3 Secure Server CA to all retail Secure Site and Managed PKI for
SSL Standard SSL Certificate customers during 2006.
Rollout Timeline:
August 2006: VeriSign retail and ISP certificate customers:
In August 2006 all customers obtaining retail Secure Site Certificates
through www.verisign.com will receive a certificate signed by the new
VeriSign Class 3 Secure Server CA.
Early 2007: MPKI for SSL customers
In early 2007, all
Standard Certificates obtained through MPKI for SSL will get signed
by the new VeriSign Class 3 Secure Server CA. This was originally scheduled
for December 2006, but has been deferred to early 2007.
What you can expect when this is rolled out:
Customers using IIS web servers
Customers using IIS web servers will receive one file containing their
digital certificate and the new VeriSign Class 3 Secure Server CA. IIS
processes this file seamlessly and there is no customer action required.
Customers using other Web Server
Customers using other web servers will receive a separate digital certificate
file and VeriSign Class 3 Secure Server CA to install. The SSL administrator
will have to go through a simple one-time installation of the VeriSign
Class 3 Secure Server CA. This is consistent with the way VeriSign has
been issuing retail Secure Site Pro and Managed PKI for SSL Premium
Certificates for the past 2 years.
Additional Questions and Answers
1. How can I test this new certificate chain?
* IIS: A chained test certificate is currently available for
customers using IIS from http://www.verisign.ch/products-services/security-services/ssl/buy-ssl-certificates/free-trial/index.html.
* Non-IIS: During June 2006 a “Chained certificate” option will
be added to the trial certificate page for users of other server types.
2. Does this affect VeriSign Secure Site Pro and MPKI For SSL Premium
SSL certificates?
This change does not affect Secure Site Pro
and Premium SSL Certificate. These customers will continue to get their
certificates signed by the same VeriSign International Server CA used
today.
3. What if I have an application or server that does not support certificate
chains?
VeriSign is aware that some customers may be
using legacy applications or servers that may not support chaining.
For this reason, we will keep the RSA root available for customers who
require unchained certificates. These certificates will only be one
year certificates and cannot be issued after September 30, 2008. VeriSign
recommends you update your legacy applications before that date and
ensure that the RSA root is not hard-coded in your application as a
trust point.
4. Does this affect client certificates issued to individuals?
This change does not affect VeriSign Code and
Content Signing Certificates. These customers will continue to get their
certificates by the same VeriSign CA used today.
|
|
