So the SSL certification authority (CA) ipsCA is frantically sending out email because their root CA certificate will expire on 12/29/2009, and every customer of theirs needs to get a new certificate. This is a problem for my organization, because, being an educational institution we were able to get no-cost[0] SSL certs from them. Because they were no-cost we have a lot of these certificates for test & development systems, and are now scrambling to find what will break on December 29th.
Once we find all the certificates there’s another complicating factor. We could just renew the certificates again, but the new ipsCA root certificate is not shipping as part of any browsers except Internet Explorer 8 (the next Firefox will have it when it ships in February). Since we know nobody ever patches anything[1] nearly every browser in circulation will continue to have errors. I can only conclude that ipsCA is being run by people who don’t understand their business.[2]
There are a few lessons here:
- Once again, free doesn’t mean it’s a good value. I’d much rather pay for a product I know will work well than have to babysit something that I paid nothing for. Though I’d be seriously upset if I were actually a paying customer of theirs.
- It would be real nice to have a central spreadsheet or tracking mechanism for SSL certificates and their expiration dates.
- It would also be nice to have all those SSL certificates co-terminate, so we can renew them all at once. Of course, we have an opportunity to do that now.
- For most test & development purposes an internal CA would work just fine, since it’s simple enough for staff to import a CA into their browsers. In fact, some of my coworkers have already set it up.
Let’s just hope these points don’t get lost in the chaos.
———————————————————-
[0] I say “no-cost” because it’s now obvious to a lot of people that they aren’t free.
[1] Except toolbars, things that install toolbars, and spyware.
[2] That’s probably the most polite I’ve been when describing this situation.