Penn State WebAccess: New Certificate and Certificate Authority

New Certificate (with new Certificate Authority) to be installed

Page last updated: Mon May 1 08:22:00 EDT 2006
Status: Changes were completed by 06:30

Notice

On Monday, May 1, 2006, Information Technology Services will change the certificate presented by Penn State's Web Access servers when a Cosign filter connects to them. The new certificate is signed by a different Thawte Certificate Authority (CA), and requires changes to a filter's configuration in order to maintain access.

The update is scheduled to take place between 6:00 and 6:30 a.m., during the regularly scheduled maintenance window (5:00 a.m. - 7:00 a.m.). Web Administrators who use WebAccess for authentication will need to make some nominal changes to filter configuration files in order to prevent errors from occurring once the update is complete.

To minimize any disruption of your service on May 1, you may make your updates any time prior to the scheduled work. Detailed information and instructions are found immediately below.

Changes Required by Filter Platform

Apache, IISCosign (version 1.1.1 or later, CAFilePath is a folder)

Install the certificate of the new Thawte CA alongside your current Thawte CA (don't replace the current CA file); on Windows, some people have trouble if they don't download the file directly to the final folder (permissions issues). For Apache, that's the directory specifed as the 3rd parameter to CosignCrypto; for IISCosign, it's the folder specified as CAFilePath.
Create a hash of the new CA (if doing manually, don't forget the ".0" at the end of the file name). On Windows systems, just rename the new CA certificate file to be the hash.version name, "c33a80d4.0".
No restart of your filter should be required.

IISCosign (prior to version 1.1.1, CAFilePath points to a file)

Save your current CA file (value of Cosign config. tag CAFilePath).
Install this new CA file (which contains both CAs), as your CAFilePath. Do not use the separate CA files listed below.
Restart your IIS server.

Java servlet

Probably requires downloading the new CA certificate and using the keytool to import it into the keystore.

Copies of CA Certificates

If you don't desire to download the CA certificates from Thawte, we have local copies:

Thawte Server CA (CA prior to May 1, 2006); hash value: ddc328ff
Thawte Premium Server CA (new CA); hash value: c33a80d4

The Pennsylvania State University ©2006. All rights reserved.
Alternative Media - Nondiscrimination Statement
This site maintained by Academic Services and Emerging Technologies, a unit of Information Technology Services.

For assistance please write to helpdesk@psu.edu or see our Help Sources.

Last revised: Monday, May 1, 2006.