InCommon Certificate Service: Sectigo Root Certificate Expiry

Summary

Sectigo, an SSL Certificate Authority, has a root certificate that is due to expire on Saturday, May 30, 2020. The University of Pennsylvania is a client of Sectigo through the Internet2 InCommon certificate service and has been using that service for SSL/TLS certificates for several years.

Sectigo has a Knowledge Base article about this change that includes a list of browsers that have the required updates, additional technical explanations and details, and FAQs. 

According to Sectigo, no action is required for most use cases. All modern clients and operating systems have the newer, modern COMODO and USERTrust roots. For modern browsers, no errors should occur. Non-browser relying parties are the most at-risk, such as Java (prior to JRE 8u51), LDAP, and other non-browser clients. The required action for these is to confirm that the necessary trust anchors are available to these clients. 

 

Checking Non-Browser Relying Parties

This set of checks is not necessary for modern browsers. These should only be executed if you have a non-browser client that relies on SSL/TLS connectivity to a server/service using the Sectigo certificates.

Step 1: Determine - what certificate store is my client using for trusted certificates? Be sure to consult the platforms list on the Knowledge Base article.

• Stored in the operating system
• Stored by the programming language or developer toolkit
• Stored in a security suite

Step 2: Determine - is the required certificate available in that certificate store? Search the certificate store for the required certificate: https://crt.sh/?d=1199354

• SHA1 Fingerprint=2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
• CN=USERTrust RSA Certification Authority
• Serial Number: 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d

Step 3: If the required certificate is not available in the certificate store, take action to insert it. Consult the documentation for your client on how to add a certificate to the store.

 

Resources

Sectigo Knowlege Base articles:

• Upcoming AddTrust Root Expiry - What you need to know:
  https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT
• Root Certificate Authority - required by clients: 
  https://crt.sh/?d=1199354
• Intermediate - recommended for servers to send: 
  https://crt.sh/?d=5174803