Web Server Certificates:
3.x Root Rollover

About the Nav 3 Root Expiry

Root expiry is a normal part of CA operations - all CA certificates expire.  On July 27 1998 the default Navigator 3 Thawte Root Certificate expires.  The expiration does not affect other browsers as we have longer-term roots in place for Navigator 4.x and IE 4.x.  Users of Navigator 3 need to go through a 2 minute update process documented here to avoid a warning message when connecting to Thawte certified sites.  Since Thawte has certified more than 24% of the web servers on the Internet [Netcraft] we believe that those 10 to 15% of users still running Nav 3 will rapidly roll their roots over.

When will other CA's be affected?

Different CA's roll their roots over at different times.  We have already rolled over our Nav 4 and IE 4 roots (which is why these are not affected).  Verisign's roots in all browsers up to and including Navigator 4.0x will expire towards the end of 1999.  We believe the same is true for all other CA's.  Navigator 4.5 has newer Verisign roots, as does IE 4.0. If you switch to a different CA, you will face the same problem in 99, but it will affect significantly more browsers.  Our server cert enrollment process has included a warning about the expiry and roll over process since February.  We continue to maintain and update the Thawte browser compatibility page at http://www.thawte.com/certs/server/browsers.html.

Is IE 3.x affected?

IE 3.0 didn't include the Thawte root, but it can be installed easily here.  IE 3.01 and IE 3.02, which usually include the root, included the old one which does expire in July.  However, IE 3.x does not check root expiration, so those browsers will not flag a warning message even after July 27th.  We have included root rollover instructions for IE 3.x purely for completeness.  IE $.x for the Mac platform ONLY is slightly affected (it ships with both old and new roots, users must delete the old root, leaving the new root).

Managing the Nav 3 Root Expiry

We want to make the rollover process as smooth as possible for web administrators and users.  We recommend you follow these guidelines. It's important that people go through the rollover process before they try to connect to your secure server. We suggest that you use one of the following four methods to assist people with the rollover process, on the page where people switch into secure mode:

  1. Include the following "single-cell table" on the page where people switch into secure mode:

    Thawte Certified Server
    Click here if you are unable to
    connect to our secure server

    This will direct users who do experience problems to a page which details the root rollover process.  You could change the URL to the script listed below in (2) which will automatically check all known browser-related issues and if necessary intelligently walk the customer through the process.

  2. We have created a script which will automatically check the browser version and give instructions for root installation if necessary.  The script can pass users back to your secure server once it has verified the customer browser capability. The URL is http://www.thawte.com/ucgi/browsercheck.exe and it will automatically detect which browser a person is running and display the appropriate instructions.  You can ask it to pass the customer back to a specific secure site by appending "destination=https://www.your.site.com/xxx.html" to the URL.  If you have a destination, and if you want Nav 4.x and IE 4.x clients to be sent straight to that destination without any page, just add "&redirect=1" to the URK. If you link through this you know all customers will get to your site running a browser that is ready for secure transactions.  For example:

       http://www.thawte.com/ucgi/browsercheck.exe?destination=https://www.botham.co.uk/mailform.htm&redirect=1
       http://www.thawte.com/ucgi/browsercheck.exe?destination=https://certs.netscape.com/&redirect=1  

     
  3. We have a graphic, generated by a script, that can be placed on your page. A different image will be shown, depending on what action the user must take to enable their browser to connect securely. The graphic can be included on your site with the following:

    <A HREF="http://www.thawte.com/ucgi/browsercheck.exe">
<IMG SRC="http://www.thawte.com/ucgi/showimage.exe" BORDER=0>
</A>

    This displays a graphic similar to this (live demo):



    Clicking on the graphic will take the browser to the rollover information, or you could change the URL to the script listed above in (2).
     

  4. We have a JavaScript script that you can include in your page that opens a pop-up style window if the user is running Navigator 3.x. The pop-up window gives the user the choice to go to our rollover instructions or to close it. The script can be included in your page by inserting the following within the header section: 
    <SCRIPT SRC="http://www.thawte.com/certs/server/rollover/browtest.js"> </SCRIPT>


     

  5. Note that a user only has to do this once, and that Netscape 3 users do not have to restart their browser during the rollover process.
     
  6. Also note that the message users will see is a warning only, they can still connect securely to your site.  Rolling over the root eliminates the warning until 2020 (by which time the user will probably have upgraded his browser).
       
  7. Please send any questions to roots@thawte.com.
© Thawte Consulting 1998