Advisories - CA Update: Secure Site and Managed PKI for SSL Standard Certificate from VeriSign, Inc.

You Are Here: US Home > Support > Advisories > CA Update: Secure Site and Managed PKI for SSL Standard Certificate

Advisories

CA Update: Secure Site and Managed PKI for SSL Standard Certificate

April, 2006 

During 2006, VeriSign will be completing the migration of Secure Site and Standard SSL Certificates from a single-tier certificate hierarchy to a new, more secure two-tier hierarchy under the Class 3 Public Primary Root Certification Authority (PCA). 

Up until May 2005 all Secure Site Certificates were signed directly by the VeriSign/RSA root. In May 2005 VeriSign introduced a new 2048 bit VeriSign Class 3 Secure Server CA and began using it to sign Secure Site Certificates obtained through www.verisign.com for customers using IIS web servers. The rollout to Microsoft IIS customers went smoothly and customers have seen no change to their SSL security. For more information on this change, click here: http://www.verisign.com/support/ssl-certificates-support/newsecuresiteca.html 

The VeriSign/RSA root expires in January 2010 and it is important that the migration off this root is completed well before that date. VeriSign will be rolling out this new 2048 bit VeriSign Class 3 Secure Server CA to all Secure Site and Standard SSL Certificate customers during 2006. 

image

Rollout Timeline:

September 2006: VeriSign retail certificate customers: 
Starting August 2006 all non-IIS customers obtaining retail Secure Site Certificates through www.verisign.com will get a certificate signed by the new VeriSign Class 3 Secure Server CA.  

2007: Managed PKI for SSL customers: 
VeriSign will be migrating all Managed PKI for SSL Standard SSL Certificates from a single-tier certificate hierarchy to a new, more secure two-tier hierarchy under the Class 3 Public Primary Root Certification Authority (PCA). This release was originally scheduled for December 2006, but has been deferred to 2007.

What you can expect when this is rolled out:

Customers using IIS web servers  
Customers using IIS web servers will receive one file containing their digital certificate and the new VeriSign Class 3 Secure Server CA. IIS processes this file seamlessly. 

Customers using other Web Server  
Customers using other web servers will receive a separate digital certificate file and VeriSign Class 3 Secure Server CA to install. The SSL administrator will have to go through a simple one-time installation of the VeriSign Class 3 Secure Server CA. This is consistent with the way VeriSign has been issuing Secure Site Pro and Premium Certificates for the past 2 years. 

Additional Questions and Answers

1. How can I test this new certificate chain? 
IIS: A chained test certificate is currently available for customers using IIS from http://www.verisign.com/ssl/buy-ssl-certificates/free-trial/index.html .

Non-IIS 
During June 2006 a “Chained certificate” option will be added to the trial certificate page for users of other server types.  

2. Does this affect VeriSign Secure Site Pro and Premium SSL certificates? 
This change does not affect Secure Site Pro and Premium SSL Certificate. These customers will continue to get their certificates signed by the same VeriSign International Server CA used today.  

3. What if I have an application or server does not support certificate chains? 
VeriSign is aware that some customers may be using legacy applications or servers that may not support chaining. For this reason, we will keep the RSA root available for customers who require unchained certificates. These certificates will only be one year certificates and cannot be issued after September 30, 2008. VeriSign recommends you update your legacy applications before that date and ensure that the RSA root is not hard-coded in your application as a trust point. 

4. Does this affect VeriSign Code and Content Signing Certificates?  
This change does not affect VeriSign Code and Content Signing Certificates. These customers will continue to get their certificates signed by the same VeriSign CA used today.  

5. Does this affect client certificates issued to individuals? 
This change does not affect VeriSign Code and Content Signing Certificates. These customers will continue to get their certificates signed by the same VeriSign CA used today.


Related Products & Services
Code Signing
SSL Certificates
Payment Processing


Contact Us
Contact Support >>
Guides
Authenticated Content Signing - Tech Guide
Digitally Sign Your Downloadable Code
Data Sheets
Authenticated Content Signing
Tours & Demos
Code and Content Signing Demo
Newsletter

Report Code Signing Abuse