ansaurus

Question

Answer 1

+2 A:

It appears the cert expired in 2004. This is the information I get using Netscape 4.5.1:

This Certificate belongs to: Class 3 Public Primary Certification Authority VeriSign, Inc. US

                           This Certificate was issued by:
                             Class 3 Public Primary Certification
                             Authority
                             VeriSign, Inc.
                             US

Serial Number: 00:E4:9E:FD:F3:3A:E8:0E:CF:A5:11:3E:19:A4:24:02:32 This Certificate is valid from Sun Jan 28, 1996 to Wed Jan 07, 2004 Certificate Fingerprint: 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5

Jay S 2009-02-23 16:45:51

Thanks for the response. I see what you're saying but this was working until earlier this month. This is very interesting. Thanks for the lead.

SquidScareMe 2009-02-23 17:08:13

The certificate I receive has a serial number of 21:EE:7E:04:2A:53:14:2A:9F:50:75:FC:2D:BF:F3:7A. It's an RSA certificate that expires in 2010.

erickson 2009-02-23 17:25:09

Answer 2

+3 A:

Verisign's OCSP responder says that your certificate has been revoked.

It's likely that some environments you are using for testing don't have OCSP enabled. You can test this by disabling OCSP checks in a browser that currently fails. It should start working after that.

If your certificate is revoked, you should get another.

Verisign has issued several certificates for www.acpe.org. The one that is still valid has the serial number 27583686efafc6484ac19d7ce82be271. The one that www.acpe.org is currently configured to use is revoked, and has a serial number of 21ee7e042a53142a9f5075fc2dbff37a. I haven't been able to get OpenSSL's ocsp tool to work, so I can't see the "reason" code being given, but judging from the info there, a replacement was requested on February 10 by the certificate owner. Make sure that you correctly installed the new certificate.

You can see this status information through Verisign's certificate repository tool by entering the common name "www.acpe.org".

erickson 2009-02-23 16:46:28

Thank you very much for your response. Could you point me to Verisign's OCSP responder? I can't locate it at verisign.com. Thank you.

SquidScareMe 2009-02-23 17:13:46

http://ocsp.verisign.com/

erickson 2009-02-23 17:33:51

Thank you, Erickson! Somehow we just installed the wrong certificate and in trying to debug this problem I overlooked the obvious. Stupid stupid stupid. Thank you!!!

SquidScareMe 2009-02-23 20:28:19

My son, Leif, is due to be born in May. Perhaps I can persuade my wife to have his middle name be Erickson in honor of you, not the explorer.

SquidScareMe 2009-02-23 20:30:24

Hehe! Thanks! Accepting my answer is honor enough for me. Besides, doesn't "Magnus" have a nicer, Nordic ring?

erickson 2009-02-23 20:55:07

Magnus is a nice choice. On a side note, in college I made a deal with a professor that I would name my daughter 'Ruby' in honor of his favorite language if he gave me a passing grade on a particularly hard test. He passed me and I did name her Ruby. He doesn't have to know it's a family name.

SquidScareMe 2009-02-23 20:59:34

Answer 3

+1 A:

From what I can tell the certificate was revoked. Are you sure you installed a valid certificate?

JoshBerke 2009-02-23 16:57:27

Thank you for the response. Really at this point I'm not sure the certificate was installed properly. Verisign says is was when I use this tool: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=certchecker

SquidScareMe 2009-02-23 17:16:29

It's likely that this certificate checker does not perform revocation checks.

erickson 2009-02-23 17:25:45

ansaurus

tags:

views:

answers:

Secure Certificate Problem

related questions