Sectigo/Comodo/USERTrust/AddTrust Certificate Expiry May 30 2020 notes

sectigo.md

Comodo/Sectigo/USERTrust/AddTrust root certificate expiry

On May 30th 2020 (10:48am GMT / 6:48am EDT / 3:48am PDT), several root & intermediate certificates that were part of the Comodo family expired.

The expired certificates

The following certificates expired on May 30 10:48:38 2020 GMT:

• AddTrust External CA Root (Type:Root) (Serial:1)
• USERTrust RSA Certification Authority (Type:Intermediate) (Serial:13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36)
• COMODO RSA Certification Authority (Type:Intermediate) (Serial:27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22)

Impact

Thousands of web sites / services / APIs which present certificates that were issued by the vendor may have experienced trouble negotiating incoming secure connections from their clients. Exact issues, if any, depended on a mix of server configuration, client version, and client configuration.

A client validating any of those certificates had access to 3 "paths" to do so successfully. One of those paths (A) became invalid after the above certificates expired:

Trust Chain Path A: (INVALID)

• AddTrust External CA Root (Type:Root) (Serial:1) : NOW EXPIRED
• USERTrust RSA Certification Authority (Type:Intermediate) (Serial:13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36) : NOW EXPIRED
• Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
• End Entity (Type:Leaf Certificate)

Trust Chain Path B: (VALID)

• USERTrust RSA Certification Authority (Type:Root) (Serial:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d)
• Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
• End Entity (Type:Leaf Certificate)

Trust Chain Path C: (VALID)

• AAA Certificate Services (Type:Root) (Serial:1)
• USERTrust RSA Certification Authority (Type:Intermediate) (Serial:39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95)
• Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
• End Entity (Type:Leaf Certificate)

Problems and solutions

Client reports certificate not issued by trusted Certificate Authority

To address:

Client-side:

Ensure client updates their local CA roots trust store to include one/both of the (Type:Root) certificates in either of the Path B or Path C cases above

Server-side:

In the chain bundle you serve, include the (Type:Intermediate) certificates in path B and/or C above to encourage your clients to reach one of the two valid (Type:Root) certificates in their local CA roots trust store.

OpenSSL-based clients reporting certificate is expired

If a server is sending a bundled chain of certificates and it includes the above NOW EXPIRED certificates from Chain Path A, AND the client is using an older OpenSSL version (<1.1.0), AND the client's local CA roots trust store has the "AddTrust" root certificate, it will trigger a bug where the client will report an Expired error.

To address, do any/some/most of the following:

Server-side:

Update the server to no longer include the above 2 expired certificates in the chain bundle.

Client-side:

Update the OpenSSL library software version.

Edit the local CA roots trust store and remove/disable/blacklist the "AddTrust External CA Root" root certificate.

More details

• Andrew Ayer's more detailed blog post
• Sectigo AddTrust External CA Root Expiring May 30, 2020
• Sectigo Chain Hierarchy and Intermediate Roots
• How to Download & Install Sectigo Intermediate Certificates - RSA
• AAA Certificate Services & AddTrust External CA Test Sites

Well this made for an interesting start of the week :(

@ValZapod Thanks. I noted COMODO RSA Certification Authority in the "expired certificates" list.

I'm thinking now of ways to better represent the variations in INVALID and VALID chain paths...