From: vance@alumni.caltech.edu
Sent: Wednesday, January 05, 2000 1:51 AM
To: Info-VAX@Mvb.Saic.Com
Subject: Re: verisign root certificate expiration, older browsers, VMS

In article <84mnue$caq@gap.cco.caltech.edu>,
 <mathog@seqaxp.bio.caltech.edu> wrote:
>I saw a note the other day stating that the verisign certificate in older
>versions of Navigator has a Y2K problem - it expires then.  For other 
>platforms the fix is to download a newer version of the browser.  I'm at 
>home now - can anyone test that the VMS 3.03 browser still works with 
>verisign certified SSL pages?  If it doesn't (which is what I expect given
>the general nature of the Verisign problem), does anybody have a workaround?
>Sadly, downloading a newer version of the browser is not an option.  When
>this happened with the Thawte cert. it was possible to install a new one, 
>but Verisign's may be engineered into the program differently.

A few months ago Schwab.com allowed me to update the Verisign root certificate.
Now however it and all the links from Netscape and Verisign about this suggest
upgrading the browser which isn't an option for VMS yet.  I searched around 
and found the Verisign page which allows one to update the root certificate.

According to Verisign's and Netscape's web pages, if you don't update the
root certificate, when you connect to a secure site you will get a dialog box 
telling you of this fact and allowing you to "Cancel" or "Continue".  Hitting 
"Continue" does in fact get you a secure connection.  However, going to a site 
can cause many dialog boxes to popup, one after the other and it can get quite 
annoying.

Here's how to update your Root certificates in Netscape:

Thawte Server certificate which expired in 1998:

1) Under the Options Menu choose "Security Preferences..."
2) Select the "Site Certificates" tab
3) Select "Thawte Server CA" in the list of certificates
4) Select "Delete Certificate" and then "OK"
5) Go to http://www.thawte.com/serverbasic.crt
6) Follow the instructions on the popup dialog box to accept the certificate
   This mostly involves hitting the "Next" button and clicking an accept
   button and then naming the resulting certificate.  I named it the same
   name as the original.

VeriSign/RSA Server certificate which expired Dec 31, 1999:

1) Under the Options Menu choose "Security Preferences..."
2) Select the "Site Certificates" tab
3) Select "Verisign/RSA Secure Server CA" in the list of certificates
4) Select "Delete Certificate" and then "OK"
5) Go to https://www.verisign.com/server/prg/browser/root.html
6) Follow the instructions on the popup dialog box to accept the certificate
   This mostly involves hitting the "Next" button and clicking an accept
   button and then naming the resulting certificate.  Verisign suggests
   using the name "VeriSign CA".

I hope this helps.  It would be nice if Compaq reissued Netscape 3.03 with
the updated certificates available with more recent versions of Netscape.

>P.S., could it be that the Purveyor Y2K bug reported in another thread is
>related it to this?

   That is my guess, the server certificate had expired.

--
Vance Haemmerle
vance@alumni.caltech.edu
