The Sectigo root certificate that expired on May 30, 2020 affected many other higher education institutions and companies and was not unique to Penn.
As we have worked through related issues over the weekend, we would like to share some findings that may be helpful if you are encountering problems with your services.
Client software is handling the certificate expiration in different ways. Some clients are failing when the expired AddTrust certificate is still being sent by the server despite a path through a valid chain being available.
We have had success by removing prior chains from the server configuration and enabling a new chain that only supplies the intermediate certificate. This is the first action that should be taken when issues are encountered as it is the easiest global change and has
a high probability of resolving your issues. The intermediate certificate is:
InCommon RSA Server CA
This intermediate certificate is available here:
If client problems continue to occur, the next step would be to update the clients trust store with the root certificate:
USERTrust RSA Certification Authority
The root certificate is available here:
The way to update the client certificate store varies by type and version of the client software.