Sectigo AddTrust External CA Root Expiring May 30, 2020
Incident Report for Gandi.net Status
Resolved
This incident has been resolved.
Posted Jun 02, 2020 - 11:47 UTC
Identified
On May 30 2020 10:48:38 +0000 root certificate "AddTrust External CA Root" and intermediate certificate "USERTrust RSA Certification Authority" are expiring.

We are going to update certificate chain on some services.

It could impact leaf certificates validation on outdated systems.

This certificate is one of the root signing the certificate authority "Gandi Standard SSL CA 2" which sign leaf certificate used in production.

Hopefully a new version of this signing certificate exists:

Chain details, expiring 2020-05-30, with expiration date, hash, issuer_hash and certificate CN:
1.1. 2024-09-11 23:59:59, 8544bf03, fc5a8f99, Gandi Standard SSL CA 2
1.2. 2020-05-30 10:48:38, fc5a8f99, 157753a5, USERTrust RSA Certification Authority
1.3. 2020-05-30 10:48:38, 157753a5, 157753a5, AddTrust External CA Root

New chain details, with expiration date, hash, issuer_hash and certificate CN:
2.1. 2024-09-11 23:59:59, 8544bf03, fc5a8f99, Gandi Standard SSL CA 2
2.2. 2038-01-18 23:59:59, fc5a8f99, fc5a8f99, USERTrust RSA Certification Authority

Last level of each chain is the root certificate which has to be set up on clients and servers. Known as trusted root certificate.

It must never be sent on TLS connection.

"USERTrust RSA Certification Authority" is cross-signed. Its new version 2.2 is self-signed. This new version is a root certificate.

Please ensure your operating systems (clients and servers) have this certificate installed:
Serial Number: 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Signature Algorithm: sha384WithRSAEncryption
Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Validity Not Before: Feb 1 00:00:00 2010 GMT
Validity Not After : Jan 18 23:59:59 2038 GMT


Reference: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT
Posted May 29, 2020 - 13:55 UTC
This incident affected: SSL Certificates.