Thursday, May 15, 2008

Verisign Class 1 CA Individual Subscriber cert expires

Yesterday, 5/14/2008, we were rudely awakened to errors in our SSL checkout process. Basically, the dialog box that informs a person browsing the website that a problem has occurred showed up. Investigating our IIS 5.0 web servers, we found that none of the SSL certificates had expired. Digging deeper, we then looked at the certificate store on the machine. In the certificate store, we found that the Intermediate Certificate called Verisign Class 1 CA Individual Subscriber certificate had expired. Yuck!


For Windows 2000
We called Verisign and confirmed that the expired certificate was affecting our site. Verisign was able to give us a link to download the latest certificate:
https://knowledge.verisign.com/support/digital-id-support/index?page=content&id=SO6052



We followed the install and verfication instructions to install the cert on each server in the farm. After making those changes, I verified in Firefox that the SSL dialog box no longer appeared. Thank God!

For Windows 2003
Win2K3 was slightly different. We actually needed to make the certificate appear in our Intermediate Certificate list:


This was accomplished by downloading the latest intermediate cert that works with your chosen level of SSL certification from here:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657

For us, we use Non-EV Premium SSL certificates. So we used that link from the main page. Once we installed them by following the directions on the linked page,
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html, we saw the intermediate cert appear (date of 10/24/2011) in the proper certificate store:


Finally, a reset of IIS was needed. Yuk!

Afterword
The one thing I do not have clarity on is exactly what certificates does a typical web server running ASP and ASP.net need to run correctly. I know that there is a hierarchy of certs:
1) Root certificates
2) Root cert signs Intermediate
3) Intermediate signs Personal (www.mysite.com)

We had a similar problem back a couple of years ago and I had been too busy to research the question then. I will try to research it and give an update to this page.

Good luck, folks!
'sodo
Feel free to drop me a line or ask me a question.