I think you are correct. I and another library went and got a re-issued cert from ipsCA, stuck it in ezproxy, and found that Firefox as well as opera gave a security warning. (Actually, Opera never did work with the old ipsCA cert either.) There is also correspondence between Mozilla and ipsCA, culminating in a note that Mozilla won't be activating the ipsCA cert, since they are past the deadline. I was interested from the language that there seemed to be a way of activating certs rather than just putting them in there; perhaps you are seeing "inactive" certs from ipsCA? -----Original Message----- From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of Godmar Back Sent: Monday, January 04, 2010 2:52 PM To: [log in to unmask] Subject: Re: [CODE4LIB] ipsCA Certs Hi, in my role as unpaid tech advisor for our local library, may I ask a question about the ipsCA issue? Is my understanding correct that ipsCA currently reissues certificates [1] signed with a root CA that is not yet in Mozilla products, due to IPS's delaying the necessary vetting process [2]? In other words, Mozilla users would see security warnings even if a reissued certificate was used? The reason I'm confused is that I, like David, saw a number of still valid certificates from "IPS Internet publishing Services s.l." already shipping with Firefox, alongside the now-expired certificate. But I suppose those certificates are for something else and the reissued certificates won't be signed using them? Thanks, - Godmar [2] https://bugzilla.mozilla.org/show_bug.cgi?id=529286 [1] http://certs.ipsca.com/Support/hierarchy-ipsca.asp On Thu, Dec 17, 2009 at 4:02 PM, John Wynstra <[log in to unmask]> wrote: > Out of curiosity, did anyone else using ipsCA certs receive notification > that due to the coming expiration of their root CA (December 29,2009), they > would need a reissued cert under a new root CA? > > I am uncertain as to how this new Root CA will become a part of the > browsers trusted roots without some type of user action including a software > upgrade, but the following library website instructions lead me to believe > that this is not going to be smooth. http://bit.ly/53Npel > > We are just about to go live with EZProxy in January with an ipsCA cert > issued a few months ago, and I am not about to do that if I have serious > browser support issue. > > > -- > <><><><><><><><><><><><><><><><><><><> > John Wynstra > Library Information Systems Specialist > Rod Library > University of Northern Iowa > Cedar Falls, IA 50613 > [log in to unmask] > (319)273-6399 > <><><><><><><><><><><><><><><><><><><> >