On May 30th 2020 (10:48am GMT / 6:48am EDT / 3:48am PDT), several root & intermediate certificates that were part of the Comodo family expired.
The following certificates expired on May 30 10:48:38 2020 GMT:
- AddTrust External CA Root (Type:Root) (Serial:
1
) - USERTrust RSA Certification Authority (Type:Intermediate) (Serial:
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
) - COMODO RSA Certification Authority (Type:Intermediate) (Serial:
27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
)
Thousands of web sites / services / APIs which present certificates that were issued by the vendor may have experienced trouble negotiating incoming secure connections from their clients. Exact issues, if any, depended on a mix of server configuration, client version, and client configuration.
A client validating any of those certificates had access to 3 "paths" to do so successfully. One of those paths (A) became invalid after the above certificates expired:
- AddTrust External CA Root (Type:Root) (Serial:
1
) : NOW EXPIRED - USERTrust RSA Certification Authority (Type:Intermediate) (Serial:
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
) : NOW EXPIRED - Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
- End Entity (Type:Leaf Certificate)
- USERTrust RSA Certification Authority (Type:Root) (Serial:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
) - Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
- End Entity (Type:Leaf Certificate)
- AAA Certificate Services (Type:Root) (Serial:
1
) - USERTrust RSA Certification Authority (Type:Intermediate) (Serial:
39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
) - Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
- End Entity (Type:Leaf Certificate)
To address:
Ensure client updates their local CA roots trust store to include one/both of the (Type:Root) certificates in either of the Path B or Path C cases above
In the chain bundle you serve, include the (Type:Intermediate) certificates in path B and/or C above to encourage your clients to reach one of the two valid (Type:Root) certificates in their local CA roots trust store.
If a server is sending a bundled chain of certificates and it includes the above NOW EXPIRED certificates from Chain Path A, AND the client is using an older OpenSSL version (<1.1.0), AND the client's local CA roots trust store has the "AddTrust" root certificate, it will trigger a bug where the client will report an Expired error.
To address, do any/some/most of the following:
Update the server to no longer include the above 2 expired certificates in the chain bundle.
Update the OpenSSL library software version.
Edit the local CA roots trust store and remove/disable/blacklist the "AddTrust External CA Root" root certificate.
@asurak Thanks, done.