NETANN-L Archives

- NETANN-L - Networkmaine Network Announcement List

NETANN-L@LISTS.MAINE.EDU
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: We will be updating the SSL certificates on the LDAP servers to SHA2
From:
Irelann Anderson <[log in to unmask]>
Reply To:
- NETANN-L - Networkmaine Network Announcement List <[log in to unmask]>
Date:
Wed, 27 May 2015 06:19:08 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (92 lines) 
The SSL certs on NameO.its.maine.edu, NameA.its.maine.edu and
NameI.its.maine.edu have all been updated and according to my tests are
functioning as expected.

On Sun, May 24, 2015 at 6:52 AM, Irelann Anderson <[log in to unmask]> wrote:

> The SSL certs on NameP, NameF and NameK have been updated and all my tests
> seem to confirm they are working.  Verified current signature algorithms
> for all the NameX LDAP servers with this nifty command Drew passed on that
> he was using to check his web servers:
>
> echo -e ""; for s in namea.its.maine.edu namef.its.maine.edu
> namei.its.maine.edu namek.its.maine.edu nameo.its.maine.edu
> namep.its.maine.edu namet.its.maine.edu; do echo -e "$s:"; openssl
> s_client -connect ${s}:636 </dev/null |& sed -n '/BEGIN CERTIFICATE/,/END
> CERTIFICATE/p' | openssl x509 -noout -text |& grep "Signature Algorithm" |
> uniq; echo -e ""; done;
>
> namea.its.maine.edu:
>     Signature Algorithm: sha1WithRSAEncryption
>
> namef.its.maine.edu:
>     Signature Algorithm: sha256WithRSAEncryption
>
> namei.its.maine.edu:
>     Signature Algorithm: sha1WithRSAEncryption
>
> namek.its.maine.edu:
>     Signature Algorithm: sha256WithRSAEncryption
>
> nameo.its.maine.edu:
>     Signature Algorithm: sha1WithRSAEncryption
>
> namep.its.maine.edu:
>     Signature Algorithm: sha256WithRSAEncryption
>
> namet.its.maine.edu:
>     Signature Algorithm: sha256WithRSAEncryption
>
>
> On Tue, May 19, 2015 at 3:46 PM, Irelann Anderson <[log in to unmask]> wrote:
>
>> SHA1 signed SSL certificates are being deprecated and we need to upgrade
>> all such certificates to SHA2.
>>
>> We are planning to upgrade the SSL certs on NameP, NameK, and NameF one
>> at a time during the maintenance window on Sunday May 24th starting at 6AM.
>>    We should be done by 6:30.
>>
>> If all goes well, we plan to upgrade the SSL certs on NameO, NameA and
>> NameI during the maintenance window on Wednesday morning May 27th at 6AM.
>> We should be done by 6:30.
>>
>> The LDAP servers on LDAP-B, LDAP-Master and NameT have already been done.
>>
>> MOST software should not be affected by the change, but we have seen
>> software that requires attention when SSL certificates change.   Some that
>> even requires the certificate and its intermediates be downloaded ahead of
>> time.   If you are running such software, contact me by email and I can
>> send you the certificate and intrmediates for the LDAP server(s) you are
>> using.
>>
>> --
>> Irelann Kerry Anderson          phone:    (207)561-3508
>> Systems and Operations
>> Information Technology Services
>> University of Maine System
>> 5752 Neville Hall
>> Orono, Maine 04469-5752
>>
>
>
>
> --
> Irelann Kerry Anderson          phone:    (207)561-3508
> Systems and Operations
> Information Technology Services
> University of Maine System
> 5752 Neville Hall
> Orono, Maine 04469-5752
>



-- 
Irelann Kerry Anderson          phone:    (207)561-3508
Systems and Operations
Information Technology Services
University of Maine System
5752 Neville Hall
Orono, Maine 04469-5752

ATOM RSS1 RSS2