Expiration of Master CA

Common problems and fixes

"SSL peer rejected your certificate as expired" regardless of its listed Expiration: date

Any CSAIL client certificate obtained before July 1, 2012 will not be accepted. Even expiration dates as late as June 29, 2013 can be tied to the old Master CA, which is now invalid. You need to obtain new certificates. Follow the link(s) from CertificatesIntro for Firefox and/or other browser(s) you use.

"Untrusted Connection" / "The certificate is not trusted because the issuer certificate has expired"

This error message means that the website you are trying to connect to, still needs an update to its server certificate. If you believe TIG maintains the webserver, please contact help@csail.mit.edu and reference the error message and this page.


CSAIL uses an enterprise certificate authority to authenticate internal Web servers and CSAIL members. It has a hierarchical structure, and at the top of the hierarchy is a certificate called "Master CA". These certificates are issued only for a limited time, to ensure that they are replaced as technology evolves. The current Master CA certificate was issued in 2002 (before the lab merger) and expired July 14, 2012. A replacement Master CA certificate, called "CSAIL Master CA v2", was generated last year, and will be good until 2021.

CSAIL servers were migrated to use public certificates issued by Internet2's InCommon federation. These certificates are signed by Comodo and are trusted by all major browsers and devices. We will continue to support the CSAIL Server CA for internal, self-service server certificates, as the InCommon certificate enrollment process is not self-service.
Topic revision: 16 Jul 2012, ArthurProkosch

MIT Computer Science and Artificial Intelligence Laboratory


  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology