On May 30th 2020 (10:48am GMT / 6:48am EDT / 3:48am PDT), several root & intermediate certificates that were part of the Comodo family expired.
The following certificates expired on May 30 10:48:38 2020 GMT:
- AddTrust External CA Root (Type:Root) (Serial:
1
) - USERTrust RSA Certification Authority (Type:Intermediate) (Serial:
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
) - COMODO RSA Certification Authority (Type:Intermediate) (Serial:
27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
)
Thousands of web sites / services / APIs which present certificates that were issued by the vendor may have experienced trouble negotiating incoming secure connections from their clients. Exact issues, if any, depended on a mix of server configuration, client version, and client configuration.
A client validating any of those certificates had access to 3 "paths" to do so successfully. One of those paths (A) became invalid after the above certificates expired:
- AddTrust External CA Root (Type:Root) (Serial:
1
) : NOW EXPIRED - USERTrust RSA Certification Authority (Type:Intermediate) (Serial:
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
) : NOW EXPIRED - Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
- End Entity (Type:Leaf Certificate)
- USERTrust RSA Certification Authority (Type:Root) (Serial:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
) - Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
- End Entity (Type:Leaf Certificate)
- AAA Certificate Services (Type:Root) (Serial:
1
) - USERTrust RSA Certification Authority (Type:Intermediate) (Serial:
39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
) - Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
- End Entity (Type:Leaf Certificate)
To address:
Ensure client updates their local CA roots trust store to include one/both of the (Type:Root) certificates in either of the Path B or Path C cases above
In the chain bundle you serve, include the (Type:Intermediate) certificates in path B and/or C above to encourage your clients to reach one of the two valid (Type:Root) certificates in their local CA roots trust store.
If a server is sending a bundled chain of certificates and it includes the above NOW EXPIRED certificates from Chain Path A, AND the client is using an older OpenSSL version (<1.1.0), AND the client's local CA roots trust store has the "AddTrust" root certificate, it will trigger a bug where the client will report an Expired error.
To address, do any/some/most of the following:
Update the server to no longer include the above 2 expired certificates in the chain bundle.
Update the OpenSSL library software version.
Edit the local CA roots trust store and remove/disable/blacklist the "AddTrust External CA Root" root certificate.
Great! The chain with AAA works also on old systems with old openssl, so it has the higher level of compatibility, if needed.