Since 29, May 2020, some of our customers who're monitoring their SSL Certificates have received certificate expiry alerts though the validity is still intact. These alerts were triggered as a result of the AddTrust External CA Root certificate's expiry on May 30, 2020. Please note that the alerts are valid for legacy systems and browsers and the certificate chain needs to be updated.

Browsers and systems that were affected:

Systems

• Apple

• macOS El Capitan 10.11 and older

• iOS 9 and older

• Microsoft

• Windows XP and older

• Windows Phone 6 and older

• Oracle 

  • Java JRE 8u51 and older, 7u85 and older, and any version of Java 6

Browsers

• Mozilla

• Firefox 35 and older

• Google

• Android 5.0 and older

• Opera

  • Versions released before December 2012 

Applications 

• Java applications that do not use the default truststore and applications that are configured to explicitly trust the AddTrust External CA Root like.

SSL Certificate check in Site24x7 is as follows:

1. Validation of the domain name issued in the certificate

2. Validation of the certificate issuing authority (in this case: Comodo)

3. Validation of USERTrust root certification authority

4. Validation of AddTrust External CA Root

 The validity of the AddTrust External CA Root has expired on May 30, 2020 which in turn triggered certificate expiration alerts to some users. 

 The alerts will also be triggered because: 

1. Legacy browsers and systems do not have the USERTrust RSA Certification by default 

2. The browser is configured to only trust AddTrust External CA Root

3. The browser does not process Trust Chain B and follows Trust Chain A

Modern systems and browsers directly check the USERTrust for certificate validity and ignores the AddTrust certificate and will remain unaffected. However, legacy system checks go upto the root level and thus users will have to configure their certificate chain to remove Trust Chain A (AddTrust External CA) and validate upto Trust Chain B (USERTrust).

Steps to remove and update invalid certificates:

Ensure that updated certificates are installed on your servers.

1. Open your Certificate manager console

2. Open your Certificates, here you can view the certificate chain with expired root certificate (AddTrust External CA Root). 

3. If AddTrust External CA Root certificate is not present in the root certificate provider then you will not need to perform the steps given below

4. If you have the following certificates installed that expired on May 30, 2020 whether in a certificate chain or in a CApath directory:

• Remove the AddTrust External CA Root certificate (expired May 30, 2020)

• Remove the USERTrust RSA Certification Authority intermediate certificate (expired May 30, 2020). You will need to check the expiration date on this certificate to determine whether to remove it, since there is also a root certificate with the same subject. Hash the ones you need to keep.

1. Configure your system or service to follow the new InCommon certificate:

• Ensure you have the InCommon RSA Server CA intermediate certificate (expires 2024) installed. Install it if it is not present.

• For mod_cosign and any other middle ware that requires a full certificate chain, also install the USERTrust RSA Certification Authority root certificate (expires 2038). This root certificate should not be installed when configuring a web server for HTTPS, but it may be needed in many other cases.

1. Update COMODO RSA/ECC Certification Authority and USERTrust RSA/ECC Certification Authority:

• USERTrust RSA Certification Authority - https://crt.sh/?id=1199354 USERTrust ECC Certification Authority - https://crt.sh/?id=2841410

• COMODO RSA Certification Authority - https://crt.sh/?id=1720081 COMODO ECC Certification Authority - https://crt.sh/?id=2835394

1. Save and Refresh. 

Note:

If the error persists after removing the invalid certificate:

1. Update Key Trust Store.

2. Check the validity of the last certificate of chain updated. 

3. To validate the contents of your custom CA bundle:

openssl crl2pkcs7 -nocrl -certfile ca_bundle.crt | openssl pkcs7 -print_certs -text -noout

4. To validate the server certificate agasint the CA bundle:

openssl verify -CAfile ca_bundle.crt my_host_cert.crt

References

• https://documentation.its.umich.edu/node/1988
• https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020