ipsCA: Getting What You Pay For

So the SSL certification authority (CA) ipsCA is frantically sending out email because their root CA certificate will expire on 12/29/2009, and every customer of theirs needs to get a new certificate. This is a problem for my organization, because, being an educational institution we were able to get no-cost[0] SSL certs from them. Because they were no-cost we have a lot of these certificates for test & development systems, and are now scrambling to find what will break on December 29th.

Once we find all the certificates there’s another complicating factor. We could just renew the certificates again, but the new ipsCA root certificate is not shipping as part of any browsers except Internet Explorer 8 (the next Firefox will have it when it ships in February).  Since we know nobody ever patches anything[1] nearly every browser in circulation will continue to have errors. I can only conclude that ipsCA is being run by people who don’t understand their business.[2]

There are a few lessons here:

  • Once again, free doesn’t mean it’s a good value. I’d much rather pay for a product I know will work well than have to babysit something that I paid nothing for. Though I’d be seriously upset if I were actually a paying customer of theirs.
  • It would be real nice to have a central spreadsheet or tracking mechanism for SSL certificates and their expiration dates.
  • It would also be nice to have all those SSL certificates co-terminate, so we can renew them all at once. Of course, we have an opportunity to do that now.
  • For most test & development purposes an internal CA would work just fine, since it’s simple enough for staff to import a CA into their browsers. In fact, some of my coworkers have already set it up.

Let’s just hope these points don’t get lost in the chaos.

———————————————————-

[0] I say “no-cost” because it’s now obvious to a lot of people that they aren’t free.

[1] Except toolbars, things that install toolbars, and spyware.

[2] That’s probably the most polite I’ve been when describing this situation.

Comments on this entry are closed.

  • Bob, my understanding is that ipsCA tried to
    get their root CA cert distributed out to
    various providers earlier this year, but
    only MS responded by issuing the root cert
    in their October Root distro(which MS
    unfortunately distributes as an Optional rather
    than Critical update, so you have to manually
    select it).

    Not to mention the fact that if you have the
    “Update Root Certificates” component turned
    on (like you’re supposed to), Windows XP SP1
    or later will -auto download- the root cert
    from the MS net repository -on demand-.

    Normally I’m a Linux lovin’ MS hater, but I have
    to say that on this one, MS -got it right-. Root
    certs should just work – the repository should
    be handled by the OS, and there should be an
    auto-update mechanism built in. You shouldn’t
    have X number of local root cert packages for
    X applications, and NO proper update mechanism
    so that those local root packages only get
    updated once a year or so(when the app gets updated).

    Ridiculous!

    Other than MS, everybody else wants to drag
    their feet, or play academic ivory tower games,
    or allow only the root certs for their
    favorite CA’s, or play prejudicial games
    against non-US Certificate Authorities.

    Mozilla products, Chrome, and ANY other web
    client running on windows should be using the
    windows system-level rootcert repository if
    they’re on windows, but they dont.

    They just want to toy around with their own
    internal root cert repositories, and THAT is
    why our customers are getting burned.

    They need to get their butts kicked, and hard.

    And don’t get me started on the total
    disinterest I see in the Linux community about
    having a reliably updated centralized
    system-level Root package handler. Everybody
    seems to use their own little local root kits: openldap, openssl, perl, etc. More ad
    nauseum.

    This s%&t should just work folks – it shouldn’t
    be an excuse for browser writers, or Sun or
    whoever to grandstand, and ultimately screw
    over all the poor people out there who are just
    trying to make things work reliably and
    securely.

    Yes, I’m one of the people getting burned by
    this ipsCA root expiration, but sorry, I only
    lay 10-15% of the blame for this fiasco at
    their doorstep.

  • We just jumped from Thawte to StartSSL and saved a tons of money. After personal and organization verification that cost us 39.99 each, we are able to have unlimited certificate (wild included) for the next 2 years.

    I love startssl.com.

  • Comodo is here to help with any issues you may experience. Feel free to contact me directly.

  • I was also burned by a couple of years ago by our LDAP server SSL certificate expiring (especially since OpenLDAP didn’t really have descriptive error messages…). Since that I’ve put all SSL certificates in a specific place and check for expiration every night using cron. It sends mail to admins 30 days prior to expiring. Doesn’t check for root certificate expiration though.

  • we had the same problem, we don’t have the budget of a larger university (anther CSU I know of pays 20k a year just for SSL certs) and we had about 200 certs issued off IPSCA. We just finished moving everything to Go Daddy a few days before Christmas. Can’t imagine IPSCA being able to stay in business with things being the way they are.

  • Wow, I just found out yesterday when they expired. Never got notice. We use a wild card cert across many servers and our ssl imap server.

    We are a .edu site and I appreciate ipsCA giving us a free cert for the last 4 years. I to am looking at GoDaddy and will order a 2 year wild card cert as soon as I get approval to spend $360.

    I know there are politics in getting the root CA in the browsers but this should have been addressed by ipsCA a full year in advance. I just renewed November 2, 2009 and new nothing about the issue, no info on their web site or the email with the certificate. I can not imagine running a business and having this issue

  • GoDaddy.com is happy to help ipsCA customers that have found themselves in a jam. For a limited time, our Standard SSLs are $12.99 with code sslqyh1w. Call 480-505-8877 or order online at http://bit.ly/91M3NV

  • I know this isn’t the place to plug my company, but here’s where I would like point out that we do offer programs to allow customers to co-terminate all of their certs at once, and a centralized tracking/workflow application. Of course the kicker is that we’re not free!

    We can however offer educational discounts if you need help through this.

    Regards,
    Steve

  • I’m one who paid for certs from them, and got screwed.

    When they issued my 2 yr wildcard cert about 18 months ago, I asked what would happen when their root expired, since I noticed at the time it would.

    They said no problem. This is after they even ripped me off a month when I renewed by basing the new expiry on the date I renewed, rather than the date my old cert expired (I renewed a month early).

    When I got their email a week before Christmas (great timing), I tested what would happen when the root expired. I can’t believe what a bunch of turkeys ipsCA have been.

    a) they’ve known this cert would expire for 11 years, but they didn’t roll out another root in all this time.
    b) they issued certs that expire after the root (this is plain fraud)

    their proposed fix was to get users to download root cert updates if they weren’t using IE. Like yeah right, I’m gonna tell my customers to do that.

    So I went to Network Solutions. I guess you get what you pay for. I fully expect ipsCA to be bankrupt in a month or so.

  • Hi Bob,
    I work for Network Solutions and stopped by to thank AdC who got the certs from Network Solutions . If anyone needs any info from me hope they will ping me.

    Thanks,

    Shashi Bellamkonda
    listen network solutions (.) com

  • This blog post says that the next release of Firefox will include the new IPSCA roots. However, from the bugzilla thread at https://bugzilla.mozilla.org/show_bug.cgi?id=529286 , it looks like it’ll be a year or more before Firefox ships with the new roots. Then it’ll be far longer before everyone has updated to the new Firefox version. I’ve switched to another cert provider.

  • The fact that that Bugzilla report was filed on November 17, 2009 means that ipsCA is completely clueless. It should have been filed two to three years earlier.

Previous Post:

Next Post: