From: vance@alumni.caltech.edu Sent: Wednesday, January 05, 2000 1:51 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: verisign root certificate expiration, older browsers, VMS In article <84mnue$caq@gap.cco.caltech.edu>, wrote: >I saw a note the other day stating that the verisign certificate in older >versions of Navigator has a Y2K problem - it expires then. For other >platforms the fix is to download a newer version of the browser. I'm at >home now - can anyone test that the VMS 3.03 browser still works with >verisign certified SSL pages? If it doesn't (which is what I expect given >the general nature of the Verisign problem), does anybody have a workaround? >Sadly, downloading a newer version of the browser is not an option. When >this happened with the Thawte cert. it was possible to install a new one, >but Verisign's may be engineered into the program differently. A few months ago Schwab.com allowed me to update the Verisign root certificate. Now however it and all the links from Netscape and Verisign about this suggest upgrading the browser which isn't an option for VMS yet. I searched around and found the Verisign page which allows one to update the root certificate. According to Verisign's and Netscape's web pages, if you don't update the root certificate, when you connect to a secure site you will get a dialog box telling you of this fact and allowing you to "Cancel" or "Continue". Hitting "Continue" does in fact get you a secure connection. However, going to a site can cause many dialog boxes to popup, one after the other and it can get quite annoying. Here's how to update your Root certificates in Netscape: Thawte Server certificate which expired in 1998: 1) Under the Options Menu choose "Security Preferences..." 2) Select the "Site Certificates" tab 3) Select "Thawte Server CA" in the list of certificates 4) Select "Delete Certificate" and then "OK" 5) Go to http://www.thawte.com/serverbasic.crt 6) Follow the instructions on the popup dialog box to accept the certificate This mostly involves hitting the "Next" button and clicking an accept button and then naming the resulting certificate. I named it the same name as the original. VeriSign/RSA Server certificate which expired Dec 31, 1999: 1) Under the Options Menu choose "Security Preferences..." 2) Select the "Site Certificates" tab 3) Select "Verisign/RSA Secure Server CA" in the list of certificates 4) Select "Delete Certificate" and then "OK" 5) Go to https://www.verisign.com/server/prg/browser/root.html 6) Follow the instructions on the popup dialog box to accept the certificate This mostly involves hitting the "Next" button and clicking an accept button and then naming the resulting certificate. Verisign suggests using the name "VeriSign CA". I hope this helps. It would be nice if Compaq reissued Netscape 3.03 with the updated certificates available with more recent versions of Netscape. >P.S., could it be that the Purveyor Y2K bug reported in another thread is >related it to this? That is my guess, the server certificate had expired. -- Vance Haemmerle vance@alumni.caltech.edu