The change to the production SRS and EPP SSL host certificates has been postponed and will now occur during the 5.27 release cycle on Sunday 28th October 2012 due to a bug discovered in the version of OpenSSL shipped with the NZRS RIK CPAN libs where the CApath is not processed correctly.
This bug prevented RIK version 5.24 from correctly validating certificates signed with the new NZRS CA as intended.
RIK version 5.26 has now been published on the NZRS website (https://nzrs.net.nz/srs/rik) which resolves this issue, and we have provided additional steps below to assist registrars in preparing for the certificate changeover on Sunday 28th October 2012
How to update the NZRS CA certificates:
Registrars using the RIK release 5.26 or above:
- No action required.
Registrars using a RIK release prior to 5.26:
- Download the following file (https://nzrs.net.nz/sites/default/files/srs-ssl-ca-cert_0.crt) and overwrite the copy in your existing RIK.
- Download and install RIK release 5.26 from https://nzrs.net.nz/srs/rik
Registrars using their own SRS or EPP-based systems or the SRS UI:
Download the following CA files and install them into your server’s list of trusted CA’s:
Deployment to test environment:
NZRS will re-schedule deployment of the test environment SRS and EPP SSL host certificates for Friday 12th October.
NZRS highly recommends that registrars perform the actions listed above as soon as possible.
If you do not perform the appropriate actions as listed above by Friday 12th October in the test environment or Sunday 28th October 2012 in the production environment you may lose your ability to communicate with the .NZ registry systems.