Versions Compared

Old Version 83

changes.mady.by.user Kent Engström

Saved on

compared with

New Version 84

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Some of you may have noticed that the chain certificates we get got from Sectigo until the beginning of May 2020 contains a certificate at the top with CN = AddTrust External CA Root and an expiration on 2020-05-30. For an explanation of why this should not cause problems for you, please see "Sectigo AddTrust External CA Root Expiring May 30, 2020" on the Sectigo site.

You may also notice that the next level down in the chain is CN = USERTrust RSA Certification Authority which also expires on 2020-05-30, and that is the certificate that has signed the CN = GEANT OV RSA CA 4  certificate that in turn has signed the SSL certificate for your server. That also seems bad, doesn't it? It turns out that certificate is there to support the CN = AddTrust External CA Root "feature" and that there is another version of CN = AddTrust External CA Root present USERTrust RSA Certification Authority present in the root store of the browsers (using the same key) which is valid until 2038-01-18, and that is the one that matters and makes the browser trust the GEANT-branded CA certificate and therefore your server certificate.

The conclusion is that things will work after 2020-05-30 too.

Do we really need all those certificates in the chain?

2020-06-02: There are reports from other NRENs that some TLS-inspecting software/boxes  take exception to the expired certificates present in this chain. If this affects you, update the chain to only include the GEANT CA certificate as described below.

What if we see "AAA Certificate Services" instead of "AddTrust External CA Root"?

Starting at the beginning of May 2020, the chain we get from Sectigo instead contains the root certificate with CN = AAA Certificate Services expiring at the end of 2028, and the next level is CN = USERTrust RSA Certification Authority with the same expiry date. This is their new workaround for legacy environments, but as far as we know it will not cause problems for modern browsers/operating systems.

Do we really need all those certificates in the chain?

No. You should be fine with only the GEANT-branded sub-CA certificate (CN = GEANT OV RSA CA No. You should be fine with only the GEANT-branded sub-CA certificate (CN = GEANT OV RSA CA 4 or similar) configured as chain certificate in your server. That CA certificate is signed by a version of USERTrust RSA Certification Authority that is present in modern browser/OS trust stores and similar.

Where can we check if our server sends the correct chain?

...