Category Archives: Security

A couple of certificates need to be renewed

I’m working on renewing the certificates. The new ones should be StartSSL™ Verified, which brings a couple of advantages (valid for two years, multiple domains in one cert etc.) and a slight disadvantage (they are not free anymore).

Update: The new certificate is in place. It’s valid for 2 years and has the following fingerprints:
SHA1: A8:22:15:A3:18:3D:AF:07:43:24:9C:9E:83:95:50:AC:15:17:90:53
MD5: D4:2F:D9:5F:70:BC:FD:AA:C4:EB:8F:F5:63:10:BA:3D

Certificate renewal – thiessen.im

A certificate will be replaced this week since it has been expired.

This is a list of fingerprints in order to make sure you know it’s safe to accept the new one:

thiessen.im:
SHA1 Fingerprint=9F:57:4E:D7:14:74:8B:99:C7:57:5D:DD:DF:79:DE:34:27:FF:61:8A
MD5 Fingerprint=93:B2:7E:AB:C2:6D:05:F0:50:20:89:9C:7B:FD:97:4B

This post will be updated once the new certificate is in place. As always, please let us know if you encounter any kind of problems.

Update: Done

Certificate renewal

A couple of certificates will be replaced today since they have been expired.

This is a list of fingerprints in order to make sure you know it’s safe to accept the new ones:

thiessen.it and im.thiessen.it:
SHA1 Fingerprint=B6:61:1A:41:6E:94:1F:11:C1:CD:53:EE:66:BB:DF:36:B9:1E:BA:01
MD5 Fingerprint=35:D0:93:20:86:89:A5:4D:FE:5F:F6:E8:7F:3F:80:B0

jabber.thiessen.it:
SHA1 Fingerprint=5D:72:1C:D2:15:5A:64:5C:73:9A:68:6A:04:4C:A0:3E:B3:BD:29:D0
MD5 Fingerprint=28:81:BD:CB:0E:68:08:1F:E9:B5:6B:1F:C2:A7:47:CB

thiessen.org:
SHA1 Fingerprint=0F:C4:17:FE:1D:CB:46:0E:39:A8:BF:69:F3:87:8D:57:4E:B8:42:EC
MD5 Fingerprint=8C:FA:B4:E8:2B:41:02:0C:61:2E:83:47:7B:7F:6A:CB

This post will be updated once the new certificates are in place. As always, please let us know if you encounter any kind of problems.

Update: The new certificates have been applied.

Certificate revoked

Yesterday our certificate signed by the XMPP Intermediate Certification Authority was revoked.
Supposingly it was ‘misused’ as a https certificate in order to secure the ejabberd administrationpanel as well as web-access to several MUCs. StartCom told us that wildcard-certificates issued by the XMPP ICA are not ment for (public) https usage.

This information is contrary to what is published in the Certificate Issuance HOWTO, which is based on the StartCom policy in this regard.

For the domain, provide the DNS hostname of the XMPP server. For example, if your organization is called “example.com” but your XMPP server is hosted at “im.example.com”, type “im” in the first box at the StartCom interface, type “example” in the second box, and select “com” from the dropdown list at the end of the “Domain: xmpp:” line. You can also request a wildcard certificate such as *.example.com (type “*” in the first box, type “example” in the second box, and select “com” from the dropdown list). A wildcard domain enables you to use the same certificate for multiple components (e.g., “groupchat.example.com” as well as “im.example.com”). You can even use a wildcard certificate for a domain such as “www.example.com”. NOTE: if your top-level domain is not available in the dropdown list, please send email to <mailto:certmaster@xmpp.org>.

This morning we applied for new certificates and are awaiting approval. We are sorry for the inconvenience and will update you once the certificates have been exchanged.

Update: The certificates have been exchanged successfully. Have a nice stay!