Allianz Group
   [[ home: rootca.allianz.com ]] Allianz Group PKI Allianz Group Root CA II Allianz Root CA III Secure Email
     Deutsch

 

Notifications

Wish to receive an email when new notifications are published here? - Click here to subscribe.

Wish to unsubsribe? - click here.

Notifications Index

2011-02-01

IP Addresses for rootca.allianz.com changed!

As of January 26th 2011 this website (rootca.allianz.com) has moved to a new physical infrastructure.
This also implied a change of IP addresses by which this site can be reached

DNS entries for rootca.allianz.com (and aliasses) have been altered as such:

  • External DNS (Internet Address) - reachability of this site from the Internet
    old: 194.127.84.114
    new: 194.127.81.235
  • Internal DNS (Intranet Address) - reachability of this site from within the Allianz Corporate Network
    old: 10.96.9.46
    new: 10.97.240.49
Note:
To avoid jeopardizing operational stability this site will still be reachable at its old IP addresses during a
transition period until February 28th 2011.

This ensures, that vital resources at rootca.allianz.com, esp. CRLs, remain available even for those IT Systems, that do NOT resolve rootca.allianz.com via DNS, but connect statically to the dated IP addresses instead.

Urgent advisory:
Staff responsible for IT-Systems (including Clients) or applications that perform automatic or routine requests to resources at rootca.allianz.com (e.g. servers downloading CRLs oder Client downloading the az-catrust.tsl File via CAImpService) are required upon to make sure until February 28th 2011 that such requests directed to the proper, current IP addresses!

In particilar we recommend to mind the following potential trouble spots:
  • dated static IP Entries for rootca.allianz.com in config files of servers (e.G. /etc/hosts Files on Unix Systems) or applications: here the old, dated IP will have to be replaced by the new, current one!
  • dated static host routes for rootca.allianz.com (i.e. for its old IP addresses (see above)) on dual-homed servers: here an additional host route for the new IP must be set (or the old one replaced)!

top

2010-12-01

Dissemination of Allianz Group Infrastructure3 CA Certificates picking up ...

Owing to the impending expiry of Allianz Group Infrastructure1 CA(the prevalent issuer CA for Allianz Group Intranet server certificates in recent years will expiry in Dec. 2011), customers who's Infrastructure1 certificates expire are advised to renew them from Allianz Group Infrastructure3 CA (end of life in 2021) which guarantees them a full 2-year validity period and helps avoid a mass expiry (of Infrastructure1 cerificates) on Dec. 30 2011.

This means that a great number of Allianz Group Infrastructure1 CA certifcates "out there" are now fairly rapidly being replaced by successor certificates from a different Issuer CA (Allianz Group Infrastructure3 CA) which in turn chains up to a differerent Root CA (Allianz Group Root CA II instead of llianz Group Root CA. Thus the trust chain typically changes like such:

	 Server Certificate            Intermediate CA                          Root CA
old: someserver.ind.allianz -----> Allianz Infrastructure 1 CA -----> Allianz Group Root CA
Current: someserver.ind.allianz -----> Allianz Group Infrastructure3 CA -----> Allianz Group Root CA II 
Future  : someserver.ind.allianz -----> Allianz Infrastructure CA V -----> Allianz Root CA III
				  

How can this trend affect you?

While our direct customers are well advised as to what CA certificates they need to import into the certificate stores on their ssl-enabled components (e.g. a webserver or a proxy server), these components in turn are accessed by SSL clients who "all of a sudden" will have to verify this component's new server certificate's changed trust chain. Such SSL clients can be individual workstations but also servers offering critical services to a large user community. While a great number of clients (Windows PCs of the larger German OEs) are automatically supplied with all CA certificates trusted by Allianz Group (our own and 3rd party) a good number, especially servers, are not. In such cases it is the respective server administrators' responsiblity to keep the certificate stores of their servers updated with the CA certificates required to verify the certificates of other servers they need to establish an SSL communication with. If they fail to do so and with some bad luck they have a "time bomb" ticking under their hands that will go off on the completely extraneous and unforseeable event of some other server admin renewing their certificate with the best of intentions.

What should server admins do?

a) If your server acts as an ssl client ...

As you cannot always know in advance when servers change their certificates and whether these will come from a different CA, you are urged to establish trust for at least our 2 Allianz Root CA IIIs. (There are still SSL clients "out there" who only trust the old Allianz Root CA even though Allianz Group Root CA II has been around since 2006). In theory trusting the Root CAs should be (and in most cases is) the whole story because servers are meant to present to the client not only their own certificate but along with it all the intermediate certificates required for its verification. Thus the only CA certificate needed on the client to complete verification along trust chain is the Root CA certificate. Reality defies theory in two ways:
a) not all servers are correctly configured so as to present the intermediate certificates as well.
b) even if they do - there may be ssl client implementations that for verification to succeed, rely solely also on those intermediate certicates already installed into their own key store.

b) If your server authenticates SSL Clients ...

Possibly your server authenticates clients based on client certificates. These might also be webservice client certificates issued by Allianz Group Infrastructure3 CA. In this case your server definitely needs to "know" (i.d. have added to its cert store) not only the Root CA (Allianz Group Root CA II ) but also the Intermediate CA (Allianz Group Infrastructure3 CA) certificate required to verify the client's webservice certificate.

Conclusion: even if you do not authenticate clients yourself: to be on the safe side: in addition to Root CA certificates - install Allianz Group Infrastructure1 CA and Allianz Group Infrastructure3 CA Intermediate CA Certificates into your servers' key store too!

What about Allianz Group Infrastructure 3 CA and Allianz Group Infrastructure4?

  • Allianz Group Infrastructure3 CA chains up to Allianz Group Root CA II , was indented as desaster backup for Allianz Group Infrastructure2.
  • Allianz Group Infrastructure4 CA chains up to Allianz Group Root CA II , was indented as desaster backup for Allianz Group Infrastructure1, never needed as such and practically never used to issuer end-entity certificates.

You are unlikely to ever come across a certificate issued by them, but to be on "the very safe side", add them as Intermediate Certs to your certificate store as well .

top


© 2016 Allianz AMOS SE - A-IT00SEC04 PKI-Engineering   PKI-Support@Allianz.com   |    About Us    |   Top