GlobalSign Target Certificates

Posted on Thursday, 1 January 1970

Previously, GlobalSign's X.509 certificates were unsuitable for use as Shibboleth service provider (target SHAR) certificates, so these had to be issued by the SDSS project's internal CA. GlobalSign has been working on this issue, assisted by the SDSS project, since September 2004 and on 27 January 2005 released a revised certificate profile that resolved the issue. After testing of the new profile by the SDSS team, the procedure for new service providers joining the SDSS federation has been updated to specify GlobalSign rather than SDSS certificates. Note that GlobalSign certificates issued before 27 January 2005 cannot be used as service provider (target) certificates.

The technical issue with the previous GlobalSign ServerSign certificate profile was that it contained the NetscapeCertType X.509 extension, set to "SSL Server". Target SHAR certificates are presented to the origin's attribute autority as SSL client certificates but OpenSSL (as used by Apache and mod_ssl) requires that if a client certificate contains the Netscape extension then the extension must include "SSL Client". The new profile still has the Netscape extension but allows both "SSL Client" and "SSL Server" usages.

Edited on 28 February 2008, at 01:43 PM (Permalink)