On May 30, 2020, the commonly used Sectigo (Comodo) Root certificate, named the AddTrust External CA Root was expired. This certificate has been active since May 30, 2000, and since it's launch is widely supported. The successor of this root certificate is named the Comodo RSA Certification authority Root and will be valid till 2030.
What Is a Root Certificate?
Root certificates are self-signed certificates. This means the “Issuer” and ”Subject” are the same. A root certificate becomes a trusted root certificate (or trusted CA, or trust anchor) by virtue of being included by default in the trust store of a piece of software such as a browser or OS.
These trust stores are updated by the browser software or OS frequently, often as part of security updates, but on older outdated platforms they were often updated only as part of a full software update – such as Windows Service Packs or optional Windows Update releases.
Certificates for your site are issued from a “chain” of issuing or “intermediate” CA that completes a path back to these trusted root certificates.
It is important to note that security updates are of paramount importance today. There may be devices that are not updated to include modern roots – but as a consequence also do not support standards required by the modern internet. A good example is Android. While Android 2.3 Gingerbread does not have the modern roots installed and relies on AddTrust, it also does not support TLS 1.2 or 1.3, and is unsupported and labeled obsolete by the vendor.
For more information view this article: Sectigo Chain Hierarchy and Intermediate Roots
What Is Cross-Signing?
CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms. In order to take advantage of this fact, CAs generate cross-certificates to ensure that their certificates are as widely supported as possible. A cross-certificate is where one root certificate is used to sign another.
The cross-certificate uses the same public key and Subject as the root being signed.
For example, a cross-certificate could be:
Subject: COMODO RSA Certification Authority
Issuer: AddTrust External CA Root
Uses the same Subject and public key as the self-signed COMODO root certificate.
Browsers and clients will chain back to the “best” root certificate they trust.
AddTrust External CA ExpirationSectigo controls a root certificate called the AddTrust External CA Root, which has been used to create cross-certificates to Sectigo’s modern root certificates, the COMODO RSA Certification Authority and USERTrust RSA Certification Authority (as well as the ECC versions of those roots). These roots don’t expire until 2038.
However, the AddTrust External CA Root expired on May 30th, May 2020.
After this date, clients and browsers will chain back to the modern roots that the older AddTrust was used to cross sign. No errors will be displayed on any updated, newer device or platform which has updates
A legacy browser or older device that does not have the modern “USERTRust” root would not trust it and so would look further up the chain to a root it does trust, the AddTrust External CA Root. A more modern browser would have the USERTrust root already installed and trust it without needing to rely on the older AddTrust root.
Impact:
All modern browsers, operating systems, and applications are very unlikely to be affected. However, if you are accessing a site from a legacy operating system, a legacy application that uses its own certificate trust store (Example: a version of Java JRE older than 8u51), or a browser older than 2006, your access may be impacted.
How to identify the problem:
Check your domain SSL from the site https://www.sslshopper.com/ssl-checker.html
If there are no issues then all the certificates will pass, if there is any issue this site will notify you and you will see a message as
One of the root or intermediate certificates has expired (1 day ago).
One of the root or intermediate certificates has expired (1 day ago).
The Solution
If you have a website with SSL support, the certificate chain file has to be replaced.
Every SSL certificate will have 3 chain
- “www.example.com” signed by (Certificate)
- “Sectigo RSA Organization Validation Secure Server CA” signed by (1st Chain)
- “USERTrust RSA Certification Authority” signed by (2nd Chain)
- “AddTrust External CA Root” signed by itself. (3rd chain)
You have to remove 2 & 3 chain certificates and replace with “Intermediate + Cross Signed” You can download this from https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO
Note: Based on your SSL certificate you can download the Intermediate + Cross Signed certificate.
We at E2E Networks always encourage our customers to pursue the best practices of security to keep their systems updated, protected, and patched against recognized vulnerabilities.
Official references and security advisories: