Thawte's recent change of implementing an intermediate certificate authority has caused some bit of confusion. Hopefully this will alleviate any remaining uncertainty.

What happened?

Thawte, the certificate authority (CA) that IU contracted with from 2006-2010 (prior to the InCommon Certificate Service) to provide SSL certificates, recently implemented a change to the way that they sign certificates. Rather than sign all certificates directly using their root certificate, they implemented an intermediate certificate authority.

Note: Most CAs, including Comodo (the contracted CA for the InCommon Certificate Service), were already utilizing intermediate certificate authorities. This affords a CA the ability to apply much stricter security measures to protect their root certificate.

How did the change affect servers and services at IU?

Since Thawte is now signing SSL certificates using their intermediate CA, rather than with their root CA directly, all servers that utilize SSL/TLS must recognize the validity of the intermediate CA.

A user attempting to connect via SSL/TLS will receive an error if the service administrator did not make the appropriate changes on the server. This will impact any service utilizing SSL/TLS, not just web servers.

Service owners should consult their contracted vendors as appropriate for assistance with such changes.

Related Facts

This change did not occur because IU switched certificate authorities.

IU, through the UISO, partnered with Thawte since 2006 to provide discounted SSL certificates. Thawte implemented this change in June or July for security purposes; it was not a cost-saving measure.

Most major CAs have adopted this practice

A certificate authority is built on trust.

As such, they must not only vet the certificates they issue/sign, they must apply an extraordinary amount of security to their signing certificates. Were one of these certificates compromised, an attacker would be able to forge and issue certificates from reputable services, such as those from higher education, companies, banks, government, and more.

Implementing an intermediate CA means that the root CA can be more heavily protected. While the situation would be dire were an intermediate CA compromised, it could always be reissued by the root CA. If the root CA were compromised, it's pretty much game over.

UISO added the following documentation as quickly as possible

As soon as the UISO was aware of this change, the following actions were taken:

• a warning was added to the old IUCA FAQs
• an IMPORTANT NOTICE was added to the email confirmations of newly fulfilled certificate requests

Remember to test all production changes

Regardless of whether a change seems insignificant, every change should be thoroughly tested before being deployed in a production environment — including renewing or modifying a certificate.