Netscape 4.05 and Prior: VeriSign Root CA Expiration

Product: Strategi - BusinessLink/WEB
Modified Date:


This document addresses the expiration of the VeriSign Root Certificate included in Netscape versions prior to 4.06. This will be of relevance to your organization if the following statements are true:

1) Your website uses SSL
2) Your website certificate was signed by VeriSign
3) Your users may use Netscapes older than version 4.06

This document is based on information derived testing done by ADVANCED BusinessLink, and also from an email sent from VeriSign to its customers. You may have already received such an email from VeriSign, but this documentís purpose is to help clarify the issue. For VeriSign's commentary on the issue, visit their website.

Understanding the Problem

The issue at hand is the VeriSign Root Certificate. When you have VeriSign create your site's public certificate, they sign your Certificate using their own private key. The intention is that users will then be able to know that a third party, VeriSign, has approved your certificate information. When your website is loaded using SSL, the browser uses VeriSign's public key to check if your Certificate is indeed signed by VeriSign.

The problem arrives when you realize that VeriSign's public key included in Netscape 4.05 and earlier expires on December 31st, 1999. What this means is that if such a browser is used to access any website, using SSL, that has its certificate signed by VeriSign, after December 31st, 1999, the user will be told that the VeriSign certificate has expired. They will have the option of continuing on and establishing an SSL session using this expired key, however, they will always receive this error message until they upgrade their VeriSign public key (ie, upgrade to Netscape 4.06 or higher).

Please understand that this is not a Strategi or BusinessLink problem, but a VeriSign problem. Any website, using any webserving software, that has used VeriSign to sign their website's certificate, will have this problem when accessed with the older Netscapes.

Testing at BusinessLink has indicated that Netscape 4.06 or higher contain updated root certificates for VeriSign. The email from VeriSign contains links that will help you perform your own testing if desired.

The Solution

Obviously, the solution is for you to recommend that your users upgrade to Netscape 4.06 or higher. Netscape no longer supports versions 4.0X or earlier, so in effect your users must upgrade to 4.5 or greater.

** End of Technical Support Bulletin **