OCSP Revocation errors FAQ

Sep 14, 2021

OCSP Revocation errors FAQ

Do I need to change my ICA (intermediate) back to the previous one later on?

No you do not, you can keep the existing intermediate certificate installed and do not need to switch back at a later date. 

Do I need to reissue all my GlobalSign certificates?

No you do not, in fact you do not need to reissue at all, simply follow the process guide here to replace the ICA (intermediate certificate). For some platforms, such as Tomcat however a reissue might be a more straight forward route. 

I've got a SHA1 certificate, will the same process work for me?

You will need to reissue your certificate to SHA2 and follow the troubleshooting guide. 

What cache am I supposed to be flushing?

As an end user you may need to clear the CRL & OCSP cache on your local machine/browser if presented with an affected certificate. This can be done easily by following the instructions here, the CRL & OCSP cache is slightly different to that of your browser. 

When are the Alpha SSL and Cloud SSL ICA's (intermediates) being delivered?

We are actively working to deliver these ICA's (intermediates) as we speak, and are hoping to have them ready within several hours (from 21:45 UTC). Update: You can now retrieve these from the troubleshooting guide 

I can't seem to apply the fix on IIS, what else can I try?

As an alternate method for IIS, first remove the "GlobalSign Domain Validation CA - SHA256 -G2" (with an expiration year of 2024) from the systems store then export your GlobalSign certificate (making sure to select "Export private key" and deselect "include all certificates in chain if possible"). Once exported remove the end entity certificate from your systems store. Import the new intermediate (with an expiration year of 2022) sourced in the troubleshooting guide then import and install the previously exported .pfx file. You may need to do a server restart for the changes to take effect.