We've been informed that going forward, our SSL wildcard certs will only be valid for 1 year, due to Apple's decision.
Position on 1-Year Certificates - Three, Two, One, Liftoff on One-Year TLS Certificates
https://www.digicert.com/position-on-1-year-certificates/
About upcoming limits on trusted certificates - In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.
https://support.apple.com/en-us/HT211025
I'm curious how others in the group will be dealing with this.
For our Win and Linux servers, new tools are being looked at that will automate the SSL renewal process.
Can we expect any DCM improvements to ease the pain.
Using an a TRCINT *SCKSSL trace, I created a utility that identifies all jobs using SSL, providing the SSLVER and Cipher used.
What I don't have and need a method of confirming the SSL server and CA used.
We only have one wild card server cert, so not that much pain here.
We have many client processes that use various Root and Intermediate CAs.
This is where I see future SSL failures that I cannot foresee.
At a minimum, I would like to see an SSL log that provided:
SSLVER
Cipher
Server cert
Root CA
Int CA
Remote IP
Remote Port
Job Name
Job#
Job user
What kind of RFE should be requested to possibly aid in SSL monitoring?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx
http://www.pencor.com/
As an Amazon Associate we earn from qualifying purchases.