cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Finding expired CA Certifcates

We found that our MWG blockes https://t4.ftcdn.net/ by expired CA Certificates...

I've tested the site with SSL Server Test: t4.ftcdn.net (Powered by Qualys SSL Labs) -> No error

I tried to find manually the expired CA Certificate but i found also none

Here is the chain i found manually

*.b.ssl.fastly.net

GlobalSign Organization Validation CA (valid until 20.02.2024)

GlobalSign Root CA (valid until 28.1.2028)

Is there any way to find the reason why this url is blocked by expired CA Certificates Property?

Frank

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Finding expired CA Certifcates

Hi Frank,

I have checked with a default MWG and I can reach the URL without a problem. Do you use the McAfee Maintained CA list or do you have your own list of CAs?

This might happen if there is a CA that expires, but the CA owner issues a new CA certificate with a new expiration date but all other details remain. So you have two CA certificates that look identical, but in MWG you may have stored the old expired CA, so MWG uses this CA rather than the new one. In such a case you have to remove the expired CA and insert the new copy of the CA certificate. We had this in the past with a couple of certificates.

I have checked the McAfee Maintained CA list but I cannot find expired entries. That's why I ask if you use your own list.

Please let me know. Feel free to contact me via eMail (firstname dot lastname at intel dot com, in case you can't remember). I am happy to help sorting this out.

Best,

Andre

Highlighted

Re: Finding expired CA Certifcates

You are right.... We used the old and subscribed list together. I removed the old one and now it works as expected.

Nevertheless, are there any ways to find the expired CA if there is real a problem with it?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Finding expired CA Certifcates

Hi Frank,

unfortunately that is not really easy. There are several problems that make identifying difficult:

- There is no property that will display the certificate caused an incident

- There is no property that will show the complete certificate chain

- Depending on what certificates are in the local "CA store" you might get different chains when you access via MWG compared to a direct access with your browser

- In the lists we only refer the names and the names are not unique

The good thing is that the McAfee Maintained list is checked for expired CAs on a daily basis and expired CAs are removed and/or replaced automatically.If they are replaced acess will simply work, if they are removed (because there is no successor) access will fail as "Untrusted Certificate", which means that:

- We will review and correct after submission

- You can browse to the site without MWG and manually add the missing CAs to your local list (MWG will not have incorrect expired certificates in its "CA store")

Note: If a CA is expired and there is no successor likely the site owner will have switched to a different certificate signed by another CA.

Best,

Andre

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community