cancel
Showing results for 
Search instead for 
Did you mean: 
frank_enser
Level 12

McAfee maintained list "Default Known Certificate Authorities": TrustCenter.de entries expired

Jump to solution

Hi,

there are 5 certificate authorities on the McAfee maintained list "Default Known Certificate Authorities" called "TC TrustCenter GmbH" which are apparently no longer functional (as seen on their website TC TrustCenter GmbH). There entries give me daily alerts like: "An operating system error exception occurred with error message : Connection timed out be because the centralized updater tried to connect to host www.trustcenter.de".

So is there a reason why they are not being removed?

Regards,

Frank

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: McAfee maintained list "Default Known Certificate Authorities": TrustCenter.de entries expired

Jump to solution

Hi Frank,

TC TrustCenter will not generate any new certificates but it is likely that there are still existing certificates they have signed in the past in use. The root certificates have not yet expired but are still working and are still part of the certificate store of major browsers. If we drop support for those CAs we might affect some users who may lose access to websites they require, so removing the CA (unless expired) is not easy. Usually we wait until major browsers drop support for CAs which means all websites using those certificates become unusable for users without MWG - then we are safe to remove them too.

I have tried to access the CRL URLs of the certificates we have in the store and the links are still up and working fine. The only CRL we fetch from www.trustcenter.de (as mentioned in the error message you see) is the following:

http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl

I can access the link and download the CRL without a problem:

wget http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl

--2015-03-16 12:11:26--  http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl

Resolving www.trustcenter.de (www.trustcenter.de)... 194.55.116.71

Connecting to www.trustcenter.de (www.trustcenter.de)|194.55.116.71|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 925 [application/x-pkcs7-crl]

Saving to: `tc_class_3_ca_II.crl'

100%[==================================================================================================>] 925         --.-K/s   in 0s

2015-03-16 12:11:26 (57.6 MB/s) - `tc_class_3_ca_II.crl' saved [925/925]

So all should be good with the link. You should not see those error messages as the server is still alive. Probably we need to look and find out why you cannot fetch the CRLs.

Best,

Andre

0 Kudos
4 Replies
asabban
Level 17

Re: McAfee maintained list "Default Known Certificate Authorities": TrustCenter.de entries expired

Jump to solution

Hi Frank,

TC TrustCenter will not generate any new certificates but it is likely that there are still existing certificates they have signed in the past in use. The root certificates have not yet expired but are still working and are still part of the certificate store of major browsers. If we drop support for those CAs we might affect some users who may lose access to websites they require, so removing the CA (unless expired) is not easy. Usually we wait until major browsers drop support for CAs which means all websites using those certificates become unusable for users without MWG - then we are safe to remove them too.

I have tried to access the CRL URLs of the certificates we have in the store and the links are still up and working fine. The only CRL we fetch from www.trustcenter.de (as mentioned in the error message you see) is the following:

http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl

I can access the link and download the CRL without a problem:

wget http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl

--2015-03-16 12:11:26--  http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl

Resolving www.trustcenter.de (www.trustcenter.de)... 194.55.116.71

Connecting to www.trustcenter.de (www.trustcenter.de)|194.55.116.71|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 925 [application/x-pkcs7-crl]

Saving to: `tc_class_3_ca_II.crl'

100%[==================================================================================================>] 925         --.-K/s   in 0s

2015-03-16 12:11:26 (57.6 MB/s) - `tc_class_3_ca_II.crl' saved [925/925]

So all should be good with the link. You should not see those error messages as the server is still alive. Probably we need to look and find out why you cannot fetch the CRLs.

Best,

Andre

0 Kudos
frank_enser
Level 12

Re: McAfee maintained list "Default Known Certificate Authorities": TrustCenter.de entries expired

Jump to solution

Hi Andre,

you're right, I can download the CRLs through the Web Gateway but not FROM the Web Gateways. So this must be an error at our firewalls.

Thanks!

Frank

0 Kudos
nathancc
Level 7

Re: McAfee maintained list "Default Known Certificate Authorities": TrustCenter.de entries expired

Jump to solution

Hi!

I'm going under that same issue for several days.

Did you manage to fix it? Was it really a firewall block?

Thanks!

My best regards,

Nathan

0 Kudos
frank_enser
Level 12

Re: McAfee maintained list "Default Known Certificate Authorities": TrustCenter.de entries expired

Jump to solution

Hi Nathan,

sorry for the late answer. I did manage to fix the issue at the customer, but I can't exactly remember how... IIRC the issue was because of a very old (or edited) "copy" of the McAfee maintained list, which overruled the original.

Regards,

Frank