Dissemination of Allianz Group Infrastructure3 CA Certificates picking up ...
Owing to the impending expiry of Allianz Group Infrastructure1 CA(the prevalent issuer CA for Allianz Group Intranet server certificates in recent years will expiry in Dec. 2011), customers who's Infrastructure1 certificates expire are advised to renew them from Allianz Group Infrastructure3 CA (end of life in 2021) which guarantees them a full 2-year validity period and helps avoid a mass expiry (of Infrastructure1 cerificates) on Dec. 30 2011.
This means that a great number of Allianz Group Infrastructure1 CA certifcates "out there" are now fairly rapidly being replaced by successor certificates from a different Issuer CA (Allianz Group Infrastructure3 CA) which in turn chains up to a differerent Root CA (Allianz Group Root CA II instead of llianz Group Root CA. Thus the trust chain typically changes like such:
Server Certificate Intermediate CA Root CA
old: someserver.ind.allianz -----> Allianz Infrastructure 1 CA -----> Allianz Group Root CA
Current: someserver.ind.allianz -----> Allianz Group Infrastructure3 CA -----> Allianz Group Root CA II
Future : someserver.ind.allianz -----> Allianz Infrastructure CA V -----> Allianz Root CA III
How can this trend affect you?
While our direct customers are well advised as to what CA certificates they need to import into the certificate stores on their ssl-enabled components (e.g. a webserver or a proxy server), these components in turn are accessed by SSL clients who "all of a sudden" will have to verify this component's new server certificate's changed trust chain. Such SSL clients can be individual workstations but also servers offering critical services to a large user community. While a great number of clients (Windows PCs of the larger German OEs) are automatically supplied with all CA certificates trusted by Allianz Group (our own and 3rd party) a good number, especially servers, are not. In such cases it is the respective server administrators' responsiblity to keep the certificate stores of their servers updated with the CA certificates required to verify the certificates of other servers they need to establish an SSL communication with. If they fail to do so and with some bad luck they have a "time bomb" ticking under their hands that will go off on the completely extraneous and unforseeable event of some other server admin renewing their certificate with the best of intentions.
What should server admins do?
a) If your server acts as an ssl client ...
As you cannot always know in advance when servers change their certificates and whether these will come from a different CA, you are urged to establish trust for at least our 2 Allianz Root CA IIIs. (There are still SSL clients "out there" who only trust the old Allianz Root CA even though Allianz Group Root CA II has been around since 2006). In theory trusting the Root CAs should be (and in most cases is) the whole story because servers are meant to present to the client not only their own certificate but along with it all the intermediate certificates required for its verification. Thus the only CA certificate needed on the client to complete verification along trust chain is the Root CA certificate. Reality defies theory in two ways:
a) not all servers are correctly configured so as to present the intermediate certificates as well.
b) even if they do - there may be ssl client implementations that for verification to succeed, rely solely also on those intermediate certicates already installed into their own key store.
b) If your server authenticates SSL Clients ...
Possibly your server authenticates clients based on client certificates. These might also be webservice client certificates issued by Allianz Group Infrastructure3 CA. In this case your server definitely needs to "know" (i.d. have added to its cert store) not only the Root CA (Allianz Group Root CA II ) but also the Intermediate CA (Allianz Group Infrastructure3 CA) certificate required to verify the client's webservice certificate.
Conclusion: even if you do not authenticate clients yourself: to be on the safe side: in addition to Root CA certificates - install Allianz Group Infrastructure1 CA and Allianz Group Infrastructure3 CA Intermediate CA Certificates into your servers' key store too!
What about Allianz Group Infrastructure 3 CA and Allianz Group Infrastructure4?
- Allianz Group Infrastructure3 CA chains up to Allianz Group Root CA II , was indented as desaster backup for Allianz Group Infrastructure2.
- Allianz Group Infrastructure4 CA chains up to Allianz Group Root CA II , was indented as desaster backup for Allianz Group Infrastructure1, never needed as such and practically never used to issuer end-entity certificates.
You are unlikely to ever come across a certificate issued by them, but to be on "the very safe side", add them as Intermediate Certs to your certificate store as well .