Dueling Thawte Premium Server CA certificates

Why are there two different Thawte Premium Server CA certificates out there?
Thawte distributes one at their root certificates web site:

Serial Number: 36 12 22 96 c5 e3 38 a5 20 a1 d2 5f 4c d7 09 54
Valid From: Wednesday, July 31, 1996
Valid to:  Friday, January 01, 2021
Certificate SHA1 Fingerprint: e0 ab 05 94 20 72 54 93 05 60 62 02 36 70 f7 cd 2e fc 66 66
Key Size: RSA(1024 Bits)

but there is a different version distributed with Redhat, Debian, Firefox, and OS X:

Serial Number: 1 (0x1)
Validity
     Not Before: AugĀ  1 00:00:00 1996 GMT
     Not After : Dec 31 23:59:59 2020 GMT
SHA1 Fingerprint=62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A

If I build a certificate chain for an SSL web server using the one from Thawte’s web site, OS X says the site uses an invalid certificate.

*** Update ***

There ARE 2 different Thawte Premium Server CA certificates:

MD5-signed
SHA1-signed

We’ll see if they tell me why they did that…

*** Update 2 ***

Thawte was required by the browser vendors to sign their CA certs with SHA1 instead of MD5. See here: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AD221

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *