If you're updating your SSL certificate or have updated your certificate on or after October 24, 2023, please note that InCommon has updated an intermediate certificate that will need to be updated as well. • When retrieving your updated SSL certificate, ensure you've downloaded the updated full chain. • Install the new chain to the server's trust store along with your approved certificate.
BACKGROUND UC San Diego subscribes to the InCommon Certificate Service, which allows us to offer certificates at no cost to the end user. These certs should be installed with a complete signing chain in order to be recognized by browsers and other clients.
What is the problem?
InCommon replaced an expiring intermediate certificate around November 3, 2023. Any previously installed signing chains will not work for these new certificates.
How can I tell the difference between the “old” and “new” certificates?
The “old” certificates are issued by “InCommon RSA Server CA”. The “new” certificates are issued by “InCommon RSA Server CA 2” (note the “2” at the end).
How do I get the new certificate signing chain?
The “Enrollment Successful” email from “Certificate Services Manager” include links to “Certificate (w/chain)” and “Issuing CA certificates only” – choose the appropriate link for your particular requirements.
What about certificates that were installed recently?
An excellent tool for testing is the “curl” utility – in verbose mode this will return an error like “unable to get local issuer certificate” in the case of a mismatched certificate chain. In some cases you may need to go back and install the proper signing chain.
Office of Information Assurance
University of California San Diego
Posted Dec 13, 2023 - 16:27 PST
Monitoring
If you're updating your SSL certificate or have updated your certificate on or after October 24, 2023, please note that InCommon has updated an intermediate certificate that will need to be updated as well. • When retrieving your updated SSL certificate, ensure you've downloaded the updated full chain. • Install the new chain to the server's trust store along with your approved certificate.
BACKGROUND UC San Diego subscribes to the InCommon Certificate Service, which allows us to offer certificates at no cost to the end user. These certs should be installed with a complete signing chain in order to be recognized by browsers and other clients.
What is the problem?
InCommon replaced an expiring intermediate certificate around November 3, 2023. Any previously installed signing chains will not work for these new certificates.
How can I tell the difference between the “old” and “new” certificates?
The “old” certificates are issued by “InCommon RSA Server CA”. The “new” certificates are issued by “InCommon RSA Server CA 2” (note the “2” at the end).
How do I get the new certificate signing chain?
The “Enrollment Successful” email from “Certificate Services Manager” include links to “Certificate (w/chain)” and “Issuing CA certificates only” – choose the appropriate link for your particular requirements.
What about certificates that were installed recently?
An excellent tool for testing is the “curl” utility – in verbose mode this will return an error like “unable to get local issuer certificate” in the case of a mismatched certificate chain. In some cases you may need to go back and install the proper signing chain.