Home Home > 2011 > 02 > 04 > New SSL Certificates
Sign up | Login

New SSL Certificates

February 4th, 2011 by

We will be updating our certificates for *.opensuse.org and *.suse.de today, sometime between 19:00 and 22:00 UTC.  We will be upgrading to a 2048 bit certificate, which will provide better security for the site.  We are also switching to a different vendor who can provide us more efficient support.  We plan on chaining the certificate up to the Entrust root CA.

It is possible that a small portion of the community may experience some issues with this switch.  Specifically, any system previous to SUSE 10 may not have the Entrust CA in its system certificate store.  For these systems, utilities such as wget may present an error when trying to pull a resource from opensuse.org over an SSL connection.  The solution is to either run wget with the “–no-check-certificate” option or to add the Entrust root to the system certificate store (found in /etc/ssl/certs).  Browsers and cURL use their own certificate store and should not be affected by this switch, even on older systems.

If anyone discovers an issue after we make the switch, please contact webmaster@opensuse.org.

Both comments and pings are currently closed.

7 Responses to “New SSL Certificates”

  1. MatthewEhle

    As an additional note, we will be using a multi-SAN certificate in place of a wildcard for suse.de. This may also cause problems for very old systems, but this type of certificate has been part of the SSL standard for a number of years. We don’t anticipate any real problems coming from this.

  2. Scott C

    I would have thought that ALL root certificates and ALL trust Certificates OR Revocation, would come via normal OpenSuse Updater ! Yes/No??? – I think I feel sick…. :-(

    I also thought that when required, auto refresh of any Repository, where their PGP Certificates OR Revocation would also auto update! Yes/No ???

    I had also thought that FF or any Browser would auto update any Trust or SSL Certificates that was due to expire by date or revocation would also auto update by FF or other Browser’s or any other dependant application. However that is an issue for FF and all else. Yes/No???

    • MatthewEhle

      As far as I know, the SUSE releases that could be affected are well out of their support phase and probably would not be updating their certificate stores. Their list of trusted roots was extremely limited to begin with, which has been fixed in later versions of SUSE Linux.

      As far as PGP certificates go, those are not affected in any way by this certificate change.

      As mentioned in the original article, Firefox and other browser DO maintain their own certificate stores, they are updated through the browser updates, and they contain a much more comprehensive library of trusted roots. They should not be affected by this change at all (with the possible exception of Konqueror, which has a very limited trust store).

      • Scott C

        Thank you that – My concern was not with your servers update of new Trust, however as a matter of course both Enterprise Linux and Open.

        Without continued validity of Certification and Revocation and valid trust certificates being auto updates- any browsers and all moneyart transactions ae based on trust.

        The whole ABSENCE issue of trust certificates and SSL CERTIFICATES COMPLETELY COLLAPSES.

        without transparent up to day trust and revocation as a big windows will open by E/bay saving he user is not trusted – Your very good with certificates Matthew; Enterprise I amuse is perfect – we just utilise the same inspection of the expiry/revocation/ no longer to guarantee trust type certificate that that simple issue – frightens the stuffing’s out of me to say the Least :-) Scott C

        • MatthewEhle

          Ah, I see where you are going. I agree with you completely, but I wish I knew more about what they do now. Maybe a good discussion to bring up on the IRC channel :)

          • Scott C

            I think I may regret typing this.
            My Country runs ALL of its total .GOV.MIL.??? – Browser,Email – the whole PKI if you will – Its no secret that it is called project “GATEWAY” and I know I am going to regret this but…
            think of me as writing the whole PKI Book on the Subject – Someone had to teach the teachers.

            Give my email address I enclose a hit or two if you want to talk on this Subject – Otherwise please dont use this address…thanks – I think I will throw up now…lol…:-)

            I am GMT+10 and can get setup for IRC…IF you need a little bit of help I will happily help BUT …Don’t bother with countless RFC’s – As the issue of trust on the Net was an afterthought. many RFC’s had to have back dated changes, and as such, are as clear as mud and almost contradict themselves….Scott C

          • Scott C

            Sorry Matthew – Freudian Slip – The correct name is Project ‘Gatekeeper’ not Project ‘Gateway’…but I would not go poking too far above normal browsing ….lol – Happy to talk over email any time mate!