Oct 11, 2022

ICA Revocations and Remediation Steps

Important Notification

The Certificate Authority (CA) industry was alerted of compliance implications related to the inclusion of a specific extension (OCSP-signing extended key usage) in CA certificates which has, under certain conditions, unintended compliance and security implications. A number of GlobalSign Issuing CAs have been impacted by this issue. While no key compromise or security incident has taken place, we will be revoking these Issuing CA’s as part of our remediation plan in accordance with the CA/B Forum Baseline Requirements and the GlobalSign CPS. Revoked intermediate certificates can cause errors in the validation of certificates signed by these Intermediate Certificates.

To avoid any possible disruptions, please view the chart below to determine if you have Certificates that may be impacted and follow the Action Items/ Recommendations:

ACTION ITEMS:

• You may be required to re-issue and re-install Certificates due to the incident outlined above.
• Please see the list of products below that have been impacted and the remediation steps, timelines and guidance per product.
• Important Note: Some of the ICAs have already been revoked, as noted in the chart below in red. You can still proceed with reissuing your certificates after the revocation date, to remediate any distrust issues.

REMEDIATION STEPS:

Using the Chart below determine if you have any Certificates (by product type) that may be impacted by the upcoming revocations. Then follow these 3 Steps:

1. Search for impacted Certificate(s) in your GCC Account by product type - Step 1) below
2. Reissue any impacted Certificate(s) - Step 2) below
3. Reinstall the new Certificate - Step 3) below

NOTE: For customers, who need to install Certificate bundles, kindly check this link: 
https://support.globalsign.com/ca-certificates/root-certificates/root-intermediate-certificate-bundles

General FAQs

Why do Certificates have to be reissued?

For compliance reasons, GlobalSign had to discontinue use of a number of Intermediate Certificates (more specifically, Intermediate Certificate Authorities) to issue Certificates to customers. These discontinued Intermediate Certificates have to be revoked starting December 2020 through February 2021. See the specific deadlines in the chart above. Revocation of Intermediate Certificates can lead to complications with the validation of Digital Certificates, impacting their validity and intended functionalities.

Is there a more specific, technical explanation?

The inclusion of a certain "Key Usage" extension (id-kp-OCSPSigning) would effectively allow an issuing CA to also act in the role of a delegated OCSP responder for the parent CA, which could be abused to manipulate the validity status of the issuing CA itself and the other issuing CA and Certificates that share the same parent.

Is there an immediate security risk?

No. No key compromise or security incident has taken place, the change is performed solely in the context of remediating a compliance issue and addressing any potential, unmaterialized security risk.

Which products are impacted?

The following GlobalSign products are affected:

• Domain Validated SSL Certificates
• AATL Document Signing Certificates
• PersonalSign Certificates (Individual Order and ePKI orders): PersonalSign 1, PersonalSign 2, PersonalSign2 Pro (including NAESB ePKI Pro Certificates) and PersonalSign 2 Department Certificates.

Specific Certificates that are impacted:

• All Domain Validated SSL Certificates issued before: 15 Aug 2020 and expiring after 31 Dec 2020
• All AATL Document Signing Certificates issued before: 14 Oct 2020and expiring after: 21 Jan 2021
• All PersonalSign 1, PersonalSign 2,  PersonalSign 2 Pro and PersonalSign 2 Department Certificates issued before: 12 Nov 2020 and expiring after24 Feb 2021
• All PersonalSign 2 Pro NAESB Certificates issued before: 28 Oct 2020 and expiring after 24 Feb 2021

What needs to be done?

• Affected Certificates have to be reissued before the revocation dates.
• This means that a new copy of the Certificate will be generated with the same expiration date and same subject information but signed by the new Intermediate Certificates.
• Reissuing Certificate is FREE OF CHARGE
• *Reissued Certificates then have to be installed to replace the older version of the Certificate.
• When you reissue a Certificate, the new Intermediate Certificates will automatically install when the Certificate is installed
• For advanced use cases, you can obtain the new ICAs at this page: https://support.globalsign.com/ca-certificates/intermediate-certificates

What are the deadlines for reissuance per product type?

• All Domain Validated SSL Certificates have to be reissued before: 21 Jan 2021
• All AATL Document Signing Certificates have to be reissued before: 31 Dec 2020
• All PersonalSign 1, PersonalSign 2,  PersonalSign 2 Pro and PersonalSign 2 Department Certificates have to be reissued before: 24 Feb 2021
• All PersonalSign 2 Pro NAESB Certificates have to be reissued before: 24 Feb 2021

How are customers being contacted?

• GlobalSign will send various email communications and reminders to the Administrator and Manager contacts listed in your Account.
• We encourage customers to pull reports to determine which Certificates are impacted (even if you do not receive the email communications).

What happens if a Certificate isn't reissued before the Revocation date? What's the impact of the revocation event?

Once the revocation event takes place, Certificates cannot be guaranteed to function as intended and most likely will appear as invalid/ distrusted.
Important Note: Revocation dates can NOT be postponed, extended or delayed.

Is there any other option for Certificate replacement besides reissuing Certificates?

• Certificates may be renewed rather than reissued. In order to be able to do so, however, their expiration date may not be more than 90 days away from the revocation date (30 days for DV SSL) as only by then the option to renew Certificates becomes available
  • The renewal of Certificates is equivalent to issuing a new Certificate with new validity, and therefore not free of cost. All usual terms for Certificate renewal apply
• Certificates that have been issued with a validity period of more than 825 days cannot be reissued anymore. To replace these Certificates, they have to be either renewed or a new order has to be placed.

Why was the validity of my 2 year DV SSL/TLS certificate shortened after reissuing?

GlobalSign can no longer issue publicly trusted SSL/TLS Certificates with validity periods greater than 397 days due to changes in Apple and Google Root Store Policies, effective September 1, 2020.

When you reissue a prior 2-year TLS order after September 1, 2020, we are required to limit the validity to 397 days. You can reissue the Certificate again in the future (free of charge) to re-claim the original / remaining validity. For more information please view our Support Article here – specifically the FAQ titled:

- What happens when I reissue an existing 2-year TLS/SSL Certificate after this change goes into effect?

Why did my Client Certificate order ( i.e. PersonalSign / Code Signing / AATL) get automatically canceled before I had the chance to download/install it (after 7 or 30 days)?

Your reissued Client Certificate (PersonalSign, Code Signing, AATL) will be automatically cancelled if it is not downloaded/ installed within 7 days - for Individual orders or 30 days for Enterprise PKI orders. To resolve this issue, you will need to locate the original order number and reissue the certificate again. Please download/ pick up the certificate within the recommended timeframe above to avoid the auto-cancelation in the future.