[Faccus] Nexus LDAP OrganizationalSSL certificate type to be replaced by new IntranetSSL certificate

Natasha Jennings njennings at uwaterloo.ca
Tue Aug 2 08:31:54 EDT 2016

What is happening? Following global changes to SSL certificate implementation rules, and due to compliance requirements outlined by our certificate provider (GlobalSign), on-campus systems that use SSL certificates and are located in a private subnet (172.16.x.x) must discontinue use of the OrganizationalSSL certificates and switch to new IntranetSSL certificates.

When is this happening? Systems must switch to the new IntranetSSL certificates by Monday, October 10.

Known issue: A client might refuse to connect to a LDAPS server if the client cannot verify the validity of the certificate on the server. This issue is easily resolved by importing the IntranetSSL Root & Intermediate certificates chain to the operating system's [local] certificate store.

Please note:

*         Earlier this year, the required chain of certificates was made part of the Default Domain Policy in production. As a result, all Windows machines that are joined to the Nexus domain already have those certificates imported to their certificate store and will automatically trust IntranetSSL certificates.

*         Non-domain joined and/or non-Windows machines must import the certificates chain as noted above. The required certificates chain can be downloaded by visiting the additional resources link below.

What you need to do: All groups must identify and validate applications and systems that use LDAPS to connect to Nexus Domain Controller's (DC) (i.e. they connect directly to a DC by its name or via one of the following aliases: nexus.uwaterloo.ca, ldap-nexus.uwaterloo.ca, or ldap.uwaterloo.ca), and ensure that the IntranetSSL Root & Intermediate certificates chain was imported to the operating system's [local] certificate store on any systems that require it.

Additional resources:

*         About IntranetSSL certificates, https://uwaterloo.ca/information-systems-technology/services/tlsssl-certificate-management/tlsssl-certificate-requirements/intranetssl-certificates

*         Required certificates chain details, https://support.globalsign.com/customer/portal/articles/2084405-intranetssl-root-intermediate-certificates

Questions or concerns? Please contact Mike Patterson, mike.patterson at uwaterloo.ca<mailto:mike.patterson at uwaterloo.ca>.

Recipients of this message: isthd, ist-staff, wnag, faccus

Natasha Jennings
Communications Officer
Information Systems & Technology (IST)
University of Waterloo
519-888-4567 ext. 47951

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/faccus/attachments/20160802/d4a5dc65/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5807 bytes
Desc: image001.png
URL: <http://lists.uwaterloo.ca/pipermail/faccus/attachments/20160802/d4a5dc65/attachment-0001.png>

More information about the Faccus mailing list