30 March 2006
VeriSign certificates + IIS = not good
Posted by Barnabas under: Security .
After some recent infrastructure changes, many users complained that they were unable to connect to Skweezer with SSL, which our log in page requires. Some phones would just show an unhelpful error like 513 or 503, page cannot be found. My Nokia popped up a strange error though, claiming that the server certificate expired even though the certificate expires next July. However, some browsers and phones had no problem at all establishing SSL. It turns out that there was nothing wrong with the certificate, and that's where it gets really weird.
According to this knowledge base article at Microsoft:
The previous VeriSign 128-bit International (Global) Server Intermediate certification authority certificate expired on January 7, 2004. This may cause problems for clients that try to establish server-authenticated secure socket layer (SSL) connections with Web servers and other SSL/Transport Layer Security (TLS)-enabled applications that do not have up-to-date certificates.
To prevent these problems, Microsoft Internet Information Services (IIS) operators should contact VeriSign to update the intermediate certification authority certificates for servers that use 128-bit SSL to connect to Web sites with the Secure Hypertext Transfer Protocol.
Impact: Clients cannot establish SSL-protected connections to Web servers that do not have updated certificates.
Recommendation: Install the updated version of the VeriSign intermediate certificate.
What they were saying is that VeriSign's own certificate expired, and so any certificates that pointed to it (like ours) might not work. You may not experience this problem on your desktop if you're browsing with Windows for example, because Microsoft keeps your list of certificate authorities (CA) up to date if you use automatic update, and so the end result is that your computer automatically trusts VeriSign. Many phones are not like this, however, and they may need to fetch a copy of the intermediate CA certificate in addition to the site certificate. Do they get that certificate from the CA directly, like you'd expect? No, you have to keep an up-to-date copy on your web server. This problem is specific to VeriSign certificates it seems; other certificates have a pointer called the AIA extension that reduces the chance of this happening. Does Microsoft automatically update your CA list just like they automatically update everyone's desktop computers, as part of the "Microsoft Root Program"? Of course not. It's your responsibility to keep the intermediate certificates on your servers up to date. This is frustrating to say the least.
To fix this problem, we had to get a new certificate from VeriSign that expires in 2011 and install it on each web server. This becomes part of the server installation procedure. Believe me, I'll be looking at alternatives to VeriSign before we have to renew. After all, the reason we went with the pricy VeriSign certificates instead of other companies was because theoretically VeriSign has greater compatibility and thus less problems with older browsers. Lesson learned.