ICA Revocations and Remediation Steps

ICA Revocations and Remediation Steps

Important Notification

The Certificate Authority (CA) industry was alerted of compliance implications related to the inclusion of a specific extension (OCSP-signing extended key usage) in CA certificates which has, under certain conditions, unintended compliance and security implications. A number of GlobalSign Issuing CAs have been impacted by this issue. While no key compromise or security incident has taken place, we will be revoking these Issuing CA’s as part of our remediation plan in accordance with the CA/B Forum Baseline Requirements and the GlobalSign CPS. Revoked intermediate certificates can cause errors in the validation of certificates signed by these Intermediate Certificates.

To avoid any possible disruptions, please view the chart below to determine if you have Certificates that may be impacted and follow the Action Items/ Recommendations:

ACTION ITEMS:

  • You may be required to re-issue and re-install Certificates due to the incident outlined above.
  • Please see the list of products below that have been impacted and the remediation steps, timelines and guidance per product.
  • Please do not reissue any PersonalSign Certificates until the Issuing CA has been replaced on 11 Nov 2020

REMEDIATION STEPS:

Using the Chart below determine if you have any Certificates (by product type) that may be impacted by the upcoming revocations. Then follow these 3 Steps:

  1. Search for impacted Certificate(s) in your GCC Account by product type - Step 1) below
  2. Reissue any impacted Certificate(s) - Step 2) below
  3. Reinstall the new Certificate - Step 3) below
Product Type Affected Certificates

*Please see Step 1) for instructions on How to pull a list of impacted Certificates in your GCC Account
Reissue Deadline - (Recommended)

*Avoid disruptions and outages by reissuing and reinstalling at least 1 week prior to the revocation date (recommended dates below):
Issuing CA Revocation Date STEP 1)

Search For Impacted Certificates
STEP 2)

Reissue Certificates Guide
STEP 3)

Install New Certificate

AATL – PDF / Document Signing

AATL Certificates issued before:

 

and expiring after

 

 

 

 

Domain Validated SSL (DV SSL)

DV SSL issued before: 

and expiring after:

 

 

 

PersonalSign 1, 2, 2 Pro and 2 Department

PersonalSign Certificates issued before:  

and expiring after

 

 

 

 

ePKI PersonalSign 2 PRO – NAESB Certificates

ePKI Pro Certificate issued before:  

and expiring after

 

 

 

General FAQs

 Why do Certificates have to be reissued?

For compliance reasons, GlobalSign had to discontinue use of a number of Intermediate Certificates (more specifically, Intermediate Certificate Authorities) to issue Certificates to customers. These discontinued Intermediate Certificates have to be revoked starting December 2020 through February 2021. See the specific deadlines in the chart above. Revocation of Intermediate Certificates can lead to complications with the validation of Digital Certificates, impacting their validity and intended functionalities.

 Is there a more specific, technical explanation?

The inclusion of a certain "Key Usage" extension (id-kp-OCSPSigning) would effectively allow an issuing CA to also act in the role of a delegated OCSP responder for the parent CA, which could be abused to manipulate the validity status of the issuing CA itself and the other issuing CA and Certificates that share the same parent.

 Is there an immediate security risk?

No. No key compromise or security incident has taken place, the change is performed solely in the context of remediating a compliance issue and addressing any potential, unmaterialized security risk.

 Which products are impacted?

The following GlobalSign products are affected:

  • Domain Validated SSL Certificates
  • AATL Document Signing Certificates
  • PersonalSign Certificates (Individual Order and ePKI orders): PersonalSign 1, PersonalSign 2, PersonalSign2 Pro (including NAESB ePKI Pro Certificates) and PersonalSign 2 Department Certificates.

Specific Certificates that are impacted:

  • All Domain Validated SSL Certificates issued before: 15 Aug 2020 and expiring after 31 Dec 2020
  • All AATL Document Signing Certificates issued before: 14 Oct 2020and expiring after: 21 Jan 2021
  • All PersonalSign 1, PersonalSign 2,  PersonalSign 2 Pro and PersonalSign 2 Department Certificates issued before: 12 Nov 2020 and expiring after24 Feb 2021
  • All PersonalSign 2 Pro NAESB Certificates issued before: 28 Oct 2020 and expiring after 24 Feb 2021

What needs to be done?

  • Affected Certificates have to be reissued before the revocation dates.
  • This means that a new copy of the Certificate will be generated with the same expiration date and same subject information but signed by the new Intermediate Certificates.
  • Reissuing Certificate is FREE OF CHARGE
  • *Reissued Certificates then have to be installed to replace the older version of the Certificate.
  • When you reissue a Certificate, the new Intermediate Certificates will automatically install when the Certificate is installed
  • For advanced use cases, you can obtain the new ICAs at this page: https://support.globalsign.com/ca-certificates/intermediate-certificates

What are the deadlines for reissuance per product type?

  • All Domain Validated SSL Certificates have to be reissued before: 21 Jan 2021
  • All AATL Document Signing Certificates have to be reissued before: 31 Dec 2020
  • All PersonalSign 1, PersonalSign 2,  PersonalSign 2 Pro and PersonalSign 2 Department Certificates have to be reissued before: 24 Feb 2021
  • All PersonalSign 2 Pro NAESB Certificates have to be reissued before: 24 Feb 2021

 How are customers being contacted?

  • GlobalSign will send various email communications and reminders to the Administrator and Manager contacts listed in your Account.
  • We encourage customers to pull reports to determine which Certificates are impacted (even if you do not receive the email communications).

What happens if a Certificate isn't reissued before the Revocation date? What's the impact of the revocation event?

Once the revocation event takes place, Certificates cannot be guaranteed to function as intended and most likely will appear as invalid/ distrusted.
Important Note: Revocation dates can NOT be postponed, extended or delayed.

 Is there any other option for Certificate replacement besides reissuing Certificates?

  • Certificates may be renewed rather than reissued. In order to be able to do so, however, their expiration date may not be more than 90 days away from the revocation date (30 days for DV SSL) as only by then the option to renew Certificates becomes available
    • The renewal of Certificates is equivalent to issuing a new Certificate with new validity, and therefore not free of cost. All usual terms for Certificate renewal apply
  • Certificates that have been issued with a validity period of more than 825 days cannot be reissued anymore. To replace these Certificates, they have to be either renewed or a new order has to be placed.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.