Skip to content

Instantly share code, notes, and snippets.

@minaguib

minaguib/sectigo.md

Last active November 5, 2020 11:12
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save minaguib/c8db186af450bceaaa7c452b76a9901b to your computer and use it in GitHub Desktop.
Save minaguib/c8db186af450bceaaa7c452b76a9901b to your computer and use it in GitHub Desktop.
Download ZIP
Sectigo/Comodo/USERTrust/AddTrust Certificate Expiry May 30 2020 notes
Raw
sectigo.md

Comodo/Sectigo/USERTrust/AddTrust root certificate expiry

On May 30th 2020 (10:48am GMT / 6:48am EDT / 3:48am PDT), several root & intermediate certificates that were part of the Comodo family expired.

The expired certificates

The following certificates expired on May 30 10:48:38 2020 GMT:

Impact

Thousands of web sites / services / APIs which present certificates that were issued by the vendor may have experienced trouble negotiating incoming secure connections from their clients. Exact issues, if any, depended on a mix of server configuration, client version, and client configuration.

A client validating any of those certificates had access to 3 "paths" to do so successfully. One of those paths (A) became invalid after the above certificates expired:

Trust Chain Path A: (INVALID)

Trust Chain Path B: (VALID)

  • USERTrust RSA Certification Authority (Type:Root) (Serial:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d)
  • Sectigo RSA DV/OV/EV Secure Server CA (Type:Intermediate)
  • End Entity (Type:Leaf Certificate)

Trust Chain Path C: (VALID)

Problems and solutions

Client reports certificate not issued by trusted Certificate Authority

To address:

Client-side:

Ensure client updates their local CA roots trust store to include one/both of the (Type:Root) certificates in either of the Path B or Path C cases above

Server-side:

In the chain bundle you serve, include the (Type:Intermediate) certificates in path B and/or C above to encourage your clients to reach one of the two valid (Type:Root) certificates in their local CA roots trust store.

OpenSSL-based clients reporting certificate is expired

If a server is sending a bundled chain of certificates and it includes the above NOW EXPIRED certificates from Chain Path A, AND the client is using an older OpenSSL version (<1.1.0), AND the client's local CA roots trust store has the "AddTrust" root certificate, it will trigger a bug where the client will report an Expired error.

To address, do any/some/most of the following:

Server-side:

Update the server to no longer include the above 2 expired certificates in the chain bundle.

Client-side:

Update the OpenSSL library software version.

Edit the local CA roots trust store and remove/disable/blacklist the "AddTrust External CA Root" root certificate.

More details

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment