Lazy sysadmins rooted in looming Mozilla cert wipeout
CA maintainer warns 'check your infrastructure'
Mozilla is about to revoke some weak X.509 PKI certs, and has warned sysadmins that it will affect the Firefox browser and they'll need to assess their infrastructure.
The four affected root certificates from Entrust and ValiCert are marked for removal because they contained weak keys.
A further seven from CyberTrust, Thawte Consulting, VeriSign and Equifax will get revoked soon.
"If you are a system administrator for infrastructure using X.509/PKI certificates, please check that your infrastructure doesn't depend on the [affected] CA certificates to be trusted," Engert said.
"Although their validity dates indicate they are still valid, they will be removed in upcoming software updates. If you depend on them, you are likely to experience failures.
"Since many other open source software packages or operating systems have chosen to use the Mozilla CA list as the base for global internet trust, the list is widely distributed, and you should expect software updates with these removals."
He said the ca-certificates package in Fedora Linux would be affected, for instance.
Admins could run the command '$ openssl s_client -showcerts -connect kuix.de:443' to assess if their infrastructure depended on the affected certificates which would display the issuer and subject names of all certs spat out by the server.
Good replacement intermediate certs could generate false positives however, so admins may instead wish to contact their certificate authority or run a small revocation test. ®