解決Sectigo (Comodo CA) AddTrust Root CA  2020年5月30日過期的問題
解決Sectigo (Comodo CA) AddTrust Root CA

解決Sectigo (Comodo CA) AddTrust Root CA 2020年5月30日過期的問題

近期有一些使用Sectigo (之前為Comodo CA)憑證的用戶,會發現自己的Application若是有使用Sectigo憑證去進行SSL連線(如web, email)時,會跳出error messages,進而造成SSL連線失敗,這是由於Sectigo的Root Certificate使用的是legacy AddTrust External CA Root certificate,其效期已於2020年5月30日失效

大部分較新的Clients,早在2015年時就會收到新的憑證安全性更新 (Security Updates),並將此Root Certificate由 AddTrust 更新為 USERTrust (效期至2038年有效)。然而,仍有少數的使用者並沒有收到安全性更新,可能因為舊版Clients無法更新或其他特殊原因,故仍然受到此Root Certificate過期的影響。

這篇文章主要是針對Sectigo AddTrust External CA Root因過期所無法正確驗證憑證的用戶提供相對應的解決辦法。

信任鏈關係的變更

如下圖一所示,過往的AddTrust External CA Root因有效時間僅到2020年5月30日,同時USERTrust RSA Certification Authority也是相同的情形。

5/30前的信任鏈關係
圖一、5/30前的信任鏈關係

在5/30之後,也就是2020年6月1日開始,我們會需要改成如下圖二的憑證信任鏈結構。

5/30後的信任鏈關係
圖二、5/30後的信任鏈關係

解決作法:

由於舊的Root Certificate過期,我們會需要更換至新的Root Certificate。

Root Certificate:

Sectigo官網提供了新的Root Certificate供使用者下載做更新。

https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO

  1. 首先先進到Secitgo的頁面,找到Root Certificates的區塊。
USERTrust Root Certificates下載處
圖三、USERTrust Root Certificates下載處

2. 選擇: [Download] SHA-2 Root : USERTrust RSA Certification Authority。

3. 下載後可以看一下內容,大致是如這樣:

Intermediate Certificate:

中繼憑證的部分我們則可以透過Internet2的官網下載。

https://spaces.at.internet2.edu/display/ICCS/InCommon+Cert+Types

  1. 首先進到Internet2的頁面,找到SSL/TLS Certificates的區塊。
圖六、InCommon RSA Server CA 下載處

2. 選擇:InCommon RSA Server CA [PEM]。

3. 內容大致如下:

完整的Root Certificate + Intermediate Certificate 可重新組合成 Full Chain,變成一個CA Bundle,檔名我們可以取名為full.crt。

圖九、Root Certificate + Intermediate Certificate

接著,我們可以透過crl2pkcs7 指令將CRT轉換成PKCS#7,再透過pkcs7指令將憑證的issuer顯示出來,上半部為Root Certificate的部分,下半部則為Intermediate Certificate。

$ openssl crl2pkcs7 -nocrl -certfile full.crt | openssl pkcs7 -print_certs -text -noout

CloudAce-MB-Pro:$ openssl crl2pkcs7 -nocrl -certfile full.crt | openssl pkcs7 -print_certs -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Validity
Not Before: Feb 1 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:80:12:65:17:36:0e:c3:db:08:b3:d0:ac:57:0d:
76:ed:cd:27:d3:4c:ad:50:83:61:e2:aa:20:4d:09:
2d:64:09:dc:ce:89:9f:cc:3d:a9:ec:f6:cf:c1:dc:
f1:d3:b1:d6:7b:37:28:11:2b:47:da:39:c6:bc:3a:
19:b4:5f:a6:bd:7d:9d:a3:63:42:b6:76:f2:a9:3b:
2b:91:f8:e2:6f:d0:ec:16:20:90:09:3e:e2:e8:74:
c9:18:b4:91:d4:62:64:db:7f:a3:06:f1:88:18:6a:
90:22:3c:bc:fe:13:f0:87:14:7b:f6:e4:1f:8e:d4:
e4:51:c6:11:67:46:08:51:cb:86:14:54:3f:bc:33:
fe:7e:6c:9c:ff:16:9d:18:bd:51:8e:35:a6:a7:66:
c8:72:67:db:21:66:b1:d4:9b:78:03:c0:50:3a:e8:
cc:f0:dc:bc:9e:4c:fe:af:05:96:35:1f:57:5a:b7:
ff:ce:f9:3d:b7:2c:b6:f6:54:dd:c8:e7:12:3a:4d:
ae:4c:8a:b7:5c:9a:b4:b7:20:3d:ca:7f:22:34:ae:
7e:3b:68:66:01:44:e7:01:4e:46:53:9b:33:60:f7:
94:be:53:37:90:73:43:f3:32:c3:53:ef:db:aa:fe:
74:4e:69:c7:6b:8c:60:93:de:c4:c7:0c:df:e1:32:
ae:cc:93:3b:51:78:95:67:8b:ee:3d:56:fe:0c:d0:
69:0f:1b:0f:f3:25:26:6b:33:6d:f7:6e:47:fa:73:
43:e5:7e:0e:a5:66:b1:29:7c:32:84:63:55:89:c4:
0d:c1:93:54:30:19:13:ac:d3:7d:37:a7:eb:5d:3a:
6c:35:5c:db:41:d7:12:da:a9:49:0b:df:d8:80:8a:
09:93:62:8e:b5:66:cf:25:88:cd:84:b8:b1:3f:a4:
39:0f:d9:02:9e:eb:12:4c:95:7c:f3:6b:05:a9:5e:
16:83:cc:b8:67:e2:e8:13:9d:cc:5b:82:d3:4c:b3:
ed:5b:ff:de:e5:73:ac:23:3b:2d:00:bf:35:55:74:
09:49:d8:49:58:1a:7f:92:36:e6:51:92:0e:f3:26:
7d:1c:4d:17:bc:c9:ec:43:26:d0:bf:41:5f:40:a9:
44:44:f4:99:e7:57:87:9e:50:1f:57:54:a8:3e:fd:
74:63:2f:b1:50:65:09:e6:58:42:2e:43:1a:4c:b4:
f0:25:47:59:fa:04:1e:93:d4:26:46:4a:50:81:b2:
de:be:78:b7:fc:67:15:e1:c9:57:84:1e:0f:63:d6:
e9:62:ba:d6:5f:55:2e:ea:5c:c6:28:08:04:25:39:
b8:0e:2b:a9:f2:4c:97:1c:07:3f:0d:52:f5:ed:ef:
2f:82:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha384WithRSAEncryption
5c:d4:7c:0d:cf:f7:01:7d:41:99:65:0c:73:c5:52:9f:cb:f8:
cf:99:06:7f:1b:da:43:15:9f:9e:02:55:57:96:14:f1:52:3c:
27:87:94:28:ed:1f:3a:01:37:a2:76:fc:53:50:c0:84:9b:c6:
6b:4e:ba:8c:21:4f:a2:8e:55:62:91:f3:69:15:d8:bc:88:e3:
c4:aa:0b:fd:ef:a8:e9:4b:55:2a:06:20:6d:55:78:29:19:ee:
5f:30:5c:4b:24:11:55:ff:24:9a:6e:5e:2a:2b:ee:0b:4d:9f:
7f:f7:01:38:94:14:95:43:07:09:fb:60:a9:ee:1c:ab:12:8c:
a0:9a:5e:a7:98:6a:59:6d:8b:3f:08:fb:c8:d1:45:af:18:15:
64:90:12:0f:73:28:2e:c5:e2:24:4e:fc:58:ec:f0:f4:45:fe:
22:b3:eb:2f:8e:d2:d9:45:61:05:c1:97:6f:a8:76:72:8f:8b:
8c:36:af:bf:0d:05:ce:71:8d:e6:a6:6f:1f:6c:a6:71:62:c5:
d8:d0:83:72:0c:f1:67:11:89:0c:9c:13:4c:72:34:df:bc:d5:
71:df:aa:71:dd:e1:b9:6c:8c:3c:12:5d:65:da:bd:57:12:b6:
43:6b:ff:e5:de:4d:66:11:51:cf:99:ae:ec:17:b6:e8:71:91:
8c:de:49:fe:dd:35:71:a2:15:27:94:1c:cf:61:e3:26:bb:6f:
a3:67:25:21:5d:e6:dd:1d:0b:2e:68:1b:3b:82:af:ec:83:67:
85:d4:98:51:74:b1:b9:99:80:89:ff:7f:78:19:5c:79:4a:60:
2e:92:40:ae:4c:37:2a:2c:c9:c7:62:c8:0e:5d:f7:36:5b:ca:
e0:25:25:01:b4:dd:1a:07:9c:77:00:3f:d0:dc:d5:ec:3d:d4:
fa:bb:3f:cc:85:d6:6f:7f:a9:2d:df:b9:02:f7:f5:97:9a:b5:
35:da:c3:67:b0:87:4a:a9:28:9e:23:8e:ff:5c:27:6b:e1:b0:
4f:f3:07:ee:00:2e:d4:59:87:cb:52:41:95:ea:f4:47:d7:ee:
64:41:55:7c:8d:59:02:95:dd:62:9d:c2:b9:ee:5a:28:74:84:
a5:9b:b7:90:c7:0c:07:df:f5:89:36:74:32:d6:28:c1:b0:b0:
0b:e0:9c:4c:c3:1c:d6:fc:e3:69:b5:47:46:81:2f:a2:82:ab:
d3:63:44:70:c4:8d:ff:2d:33:ba:ad:8f:7b:b5:70:88:ae:3e:
19:cf:40:28:d8:fc:c8:90:bb:5d:99:22:f5:52:e6:58:c5:1f:
88:31:43:ee:88:1d:d7:c6:8e:3c:43:6a:1d:a7:18:de:7d:3d:
16:f1:62:f9:ca:90:a8:fd

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:20:d0:fa:85:46:1a:7e:17:a1:64:02:91:84:63:74
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Validity
Not Before: Oct 6 00:00:00 2014 GMT
Not After : Oct 5 23:59:59 2024 GMT
Subject: C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon, CN=InCommon RSA Server CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:1b:f1:bb:2f:7f:63:18:15:51:51:54:0f:9e:
c5:4e:4d:10:58:fa:30:9b:17:29:90:e6:33:0c:ac:
13:53:7c:54:91:b4:ea:d8:6e:9b:89:6d:bb:33:3e:
8f:d2:0d:a6:e9:f9:ba:e9:0d:0c:1a:9e:b2:8e:c9:
70:2e:ef:1e:05:7d:95:eb:2d:8d:a2:a9:4d:b3:9c:
e7:f3:19:36:bb:a7:f1:7c:e6:08:1e:61:27:44:7a:
96:f4:a8:34:db:e2:42:c8:a5:db:37:d5:b5:e7:e4:
42:72:3f:b4:13:cf:8b:07:24:45:1e:8c:91:83:46:
b9:09:a6:fc:18:a3:06:02:ec:34:8d:32:66:95:27:
ea:e1:97:e8:db:35:a3:2b:56:eb:57:e8:f0:10:59:
df:6d:70:0c:66:6a:d0:64:e5:a8:a3:98:31:ad:1d:
62:d5:fa:92:e3:9a:43:cd:2d:35:fb:d9:9e:33:5b:
45:7d:c4:86:28:2c:66:12:c8:db:0f:19:30:0d:3f:
e9:f0:ea:4a:5e:40:07:c7:f6:20:7a:53:78:81:64:
7a:7e:45:6a:16:6f:f4:93:58:c9:62:fb:29:27:7d:
a1:7f:21:ce:e7:4f:47:d6:8a:56:e0:e3:66:f8:ec:
dd:89:dc:26:8c:19:68:3b:8d:8b:e2:fb:47:23:0b:
7f:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
X509v3 Subject Key Identifier:
1E:05:A3:77:8F:6C:96:E2:5B:87:4B:A6:B4:86:AC:71:00:0C:E7:38
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
Policy: 2.23.140.1.2.2
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
Authority Information Access:
CA Issuers – URI:http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
OCSP – URI:http://ocsp.usertrust.com
Signature Algorithm: sha384WithRSAEncryption
2d:11:06:38:d6:db:d7:58:68:af:aa:38:67:17:8d:e2:13:d7:
a3:14:24:d9:06:13:eb:eb:91:2f:df:4f:67:2d:c8:d3:14:d7:
56:65:52:9e:6e:1f:98:08:8e:9a:48:1b:c1:8b:59:9a:a3:57:
9b:db:86:f8:59:40:fc:19:b0:75:11:2a:c2:12:36:ba:8e:72:
8a:06:4e:27:b7:8d:58:14:d1:6f:b4:f9:68:fc:98:dd:a4:9c:
25:40:36:de:bd:17:66:2b:03:7f:78:81:b1:80:74:9e:5f:3a:
b4:26:2f:6a:48:84:36:34:8e:a7:28:ef:87:f3:61:e7:db:67:
f5:52:db:d7:d1:e6:30:71:bb:8b:a3:d4:ff:b9:64:89:9e:9b:
81:9b:8f:57:b8:64:4c:d5:06:19:8e:e7:91:85:7c:18:d1:89:
d8:f6:ea:1d:68:14:11:d9:ee:17:83:1f:50:63:cf:0e:f6:86:
2a:6e:e3:b1:a4:c9:fa:f6:34:4c:77:2a:80:86:30:b0:a3:dc:
1b:71:ec:04:a7:e4:98:bc:16:85:3e:84:26:b3:c0:e5:35:55:
7e:79:98:a3:d4:d4:8d:b6:e7:42:e8:44:20:12:37:5f:09:c9:
fb:03:e4:f5:65:74:96:ed:ca:b9:b3:f6:09:ff:4c:a6:d1:5d:
3a:fc:d1:4d:aa:e4:98:72:be:38:4b:7f:89:4e:26:8f:d4:cc:
be:56:09:71:03:4a:6c:a3:e2:35:86:dd:1e:d9:f1:31:03:f7:
13:4d:0b:11:81:31:79:cc:7a:d7:be:dc:fb:f3:76:1b:2c:bd:
b3:91:0f:00:59:07:2a:20:43:dc:4b:d8:b5:19:14:8f:e2:7a:
84:29:d1:43:3f:2f:cc:df:3f:9d:bb:bd:68:c4:ce:e0:cd:e7:
1c:31:32:78:62:fa:f0:93:a2:1e:c9:d7:9f:68:e5:a8:76:f6:
63:fe:68:99:ef:ba:36:d7:12:71:9a:9e:b3:71:1f:3b:be:00:
63:9e:3d:5f:21:c2:b1:86:1b:b8:4e:21:c3:c3:43:09:2e:63:
0c:cd:ff:14:f6:f6:22:e9:fd:ca:9f:f5:98:44:b6:41:9c:41:
c2:08:98:7d:db:a0:9f:22:7e:c0:a7:49:bb:b4:18:1f:4b:d3:
a6:2a:87:b9:5c:ca:f2:83:4c:40:03:b2:52:1a:79:21:08:37:
18:4e:d9:8d:5f:99:c6:05:5f:f1:6a:ae:ba:75:5a:78:47:3a:
3a:65:5e:e5:c4:d0:e3:da:d2:eb:5a:28:2d:b9:02:99:60:a2:
6f:3c:2f:66:7c:98:45:9c:c9:fa:01:ef:32:8e:7c:3e:f9:f4:
03:7b:24:a6:56:09:8c:24

我們可以看到上半部中,Root Certificate的Subject 和下半部 Intermediate Certificate的Issuer皆為:

/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

如此一來我們可以將其視為吻合。最後再將原先的End Entity (Server certificate)拿去跟CA Bundle驗證。

$openssl verify -CAfile full.crt cert.crt

CloudAce-MB-Pro:$ openssl verify -CAfile full.crt cert.crt
cert.crt: OK

顯示OK,驗證通過。

此篇文章主要是針對有使用Sectigo (過去為Comodo CA)的憑證用戶,因為AddTrust Root Certificate 過期的問題提供解決辦法,由於終端憑證(End Entity)是沒有過期仍然為有效的,我們僅需要將Root Certificate換成新的USERTrust Root Certificate便可以解決,希望透過這篇文章能幫助到近期遭遇到此問題的使用者。

如果有需要專案開發、技術支援的話,可以填寫聯繫表單與我們聯繫
https://bit.ly/blog-contact-Cloud-Ace

聯繫 Cloud Ace

Reference:

support.sectigo.com. (n.d.). Sectigo Knowledge Base. [online] Available at: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO [Accessed 1 Jun. 2020].

spaces.at.internet2.edu. (n.d.). InCommon Cert Types – InCommon Certificate Service – Internet2 Wiki. [online] Available at: https://spaces.at.internet2.edu/display/ICCS/InCommon+Cert+Types [Accessed 1 Jun. 2020].


calnetweb.berkeley.edu. (n.d.). ADDTrust External Root Expiration May 2020 | CalNet – Identity and Access Management. [online] Available at: https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 [Accessed 1 Jun. 2020].

Steenis, S. van (2018). Get your certificate chain right. [online] Medium. Available at: https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce [Accessed 3 Jun. 2020].

Solution Architect

Cloud Ace 解決方案架構師,負責協助各大企業上雲

發佈留言