Post by account_disabled on Feb 25, 2024 6:25:00 GMT
On May 30, Sectigo's AddTrust External CA Root certificate expired , causing problems and service interruptions to many applications. Even if your web application is protected by an SSL certificate and you see the lock in your browser, you may have run into this issue, especially if you use integrations such as API, cURL or OpenSSL. What happened with Sectigo? The SSL/TLS protocol allows client-server protection of data which cannot be read or used by third parties without the appropriate private decryption key. Every time an application contacts a web service via this protocol, the application itself verifies that the certificates have been issued for the service the application is accessing, that they have not expired and that they have been signed by a security authority. trusted certification (Certificate Authority, CA).
To verify this last step, the application attempts to connect the certificates provided to Chinese Student Phone Number List one of those contained in its trust archive which is distributed together with the operating system, browser or embedded in the application. When the checks are validated, the application begins communication via the secure SSL/TLS protocol. Sectigo's AddTrust External CA Root certificate, previously known as Comodo, was issued with a validity of 20 years, until May 30, 2020, and was already considered legacy, i.e. to be replaced. Sectigo had already replaced this certificate with a new pair of certificates in 2010 which are still valid until the year 2038. Using cross-certification, the CA issued a pair of new Root certificates in 2010, valid until 2038, to replace the legacy Roots.
The new Root certificates had already been included in the security updates that are released by all the major vendors (Microsoft, Apple, etc.) that used applications with this functionality. Sectigo continued to issue new SSL certificates using AddTrust External CA Root and USERTrust RSA CA or USERTrust ECC CA Intermediate to ensure there were no compatibility issues with older devices. In any case, having introduced cross-signed Root certificates, all browsers with the latest updates have automatically guaranteed the functionality so as not to have problems in this sense. As we mentioned before, most of the problems we encountered with our users were caused, for example, by API calls via the cURL application. These applications like cURL often use custom certificate validation methods and since they are maintained less frequently than more popular browsers they did not embed the new Root certificates issued by Sectigo.
To verify this last step, the application attempts to connect the certificates provided to Chinese Student Phone Number List one of those contained in its trust archive which is distributed together with the operating system, browser or embedded in the application. When the checks are validated, the application begins communication via the secure SSL/TLS protocol. Sectigo's AddTrust External CA Root certificate, previously known as Comodo, was issued with a validity of 20 years, until May 30, 2020, and was already considered legacy, i.e. to be replaced. Sectigo had already replaced this certificate with a new pair of certificates in 2010 which are still valid until the year 2038. Using cross-certification, the CA issued a pair of new Root certificates in 2010, valid until 2038, to replace the legacy Roots.
The new Root certificates had already been included in the security updates that are released by all the major vendors (Microsoft, Apple, etc.) that used applications with this functionality. Sectigo continued to issue new SSL certificates using AddTrust External CA Root and USERTrust RSA CA or USERTrust ECC CA Intermediate to ensure there were no compatibility issues with older devices. In any case, having introduced cross-signed Root certificates, all browsers with the latest updates have automatically guaranteed the functionality so as not to have problems in this sense. As we mentioned before, most of the problems we encountered with our users were caused, for example, by API calls via the cURL application. These applications like cURL often use custom certificate validation methods and since they are maintained less frequently than more popular browsers they did not embed the new Root certificates issued by Sectigo.