undefined | Better HN

0 pointsdylz5y ago0 comments

It is explicitly not a replacement, but some kind of legacy fallback that they don't want you to use, but exists for enterprise customers that absolutely can't get trust.

0 comments

josephcsible5y ago

Are you sure? That's the path that InCommon has been providing me for new certificates since they switched away from the expiring one.

dylzOP5y ago

On anything with a modern TLS stack, I see this trust chain:

- Leaf cert (your cert)

- InCommon RSA Server CA

- USERTrust RSA Certification Authority (this is/should be the final point)

josephcsible5y ago

That's what my browser shows me too, but it's just because it's ignoring the cross-signed one that chains to AAA. The server is sending it, per InCommon's setup instructions.

1 more reply

j / k navigate · click thread line to collapse

0 pointsdylz5y ago0 comments

It is explicitly not a replacement, but some kind of legacy fallback that they don't want you to use, but exists for enterprise customers that absolutely can't get trust.

0 comments

josephcsible5y ago

Are you sure? That's the path that InCommon has been providing me for new certificates since they switched away from the expiring one.

dylzOP5y ago

On anything with a modern TLS stack, I see this trust chain:

- Leaf cert (your cert)

- InCommon RSA Server CA

- USERTrust RSA Certification Authority (this is/should be the final point)

josephcsible5y ago

That's what my browser shows me too, but it's just because it's ignoring the cross-signed one that chains to AAA. The server is sending it, per InCommon's setup instructions.

1 more reply

j / k navigate · click thread line to collapse