IT Services

Oxford Nexus certificate renewal 8 May 2012 - important information


The Oxford Nexus email, calendaring, address book (etc.) service is built upon Microsoft Exchange. One of the mechanisms to keep your data secure when you are using the service is to use server certificates that your client software should recognise and trust.

From time to time these certificates must be renewed. However, JANET, the UK's education and research network is now issuing a different type of certificate to that which we had before. This change will not be noticed by most people. However, some software may alert you to the change.

From 7 am on Tuesday 8 May 2012, any software or device that you are using may notice a security change
You may be prompted to re-start your software. Please do so, and the prompt should disappear. If you are using a hand held device (e.g. smart phone), you should re-start it if any prompts or error messages are seen.

We have had reports of some devices taking some time to accept the new certificate. Please allow three hours for your device to work with the new certificate.

If, after three hours, your device or software is still unable to work with the new certificate, or you encounter a persistent security prompt, please contact the OUCS Help Centre for advice. The Help Centre will need to know:

1. Technical details for IT Support Staff

The following Nexus certificates are being replaced:

The JANET CA has changed since the Nexus certificates were originally issued. The new CA root is ‘AddTrust External CA Root’, the old one was ‘GTE CyberTrust Global Root’. The new root certificate is already widely used and we do not anticipate it causing major problems. However the change may cause some mobile devices to give (temporary) errors about the certificate not being trusted or not being able to connect to the server. For any mobile/hand-held device errors please restart the device.

Some UNIX IMAP email clients are likely to show some certificate errors/trust messages. Some older systems assume that the user will take on the responsibility of updating certificate chains etc. Most modern Linux systems, e.g. Ubuntu, Debian, CentOS, etc., should automatically update.

If this affects you when using a Unix system, the system administrator (possibly you) needs to install the root Comodo CA certificate into the trusted certificate store. Visit for more details.