3 Replies Latest reply on Jun 27, 2016 2:24 AM by asabban

    Finding expired CA Certifcates

    feickholt

      We found that our MWG blockes https://t4.ftcdn.net/ by expired CA Certificates...

       

      I've tested the site with SSL Server Test: t4.ftcdn.net (Powered by Qualys SSL Labs) -> No error

       

      I tried to find manually the expired CA Certificate but i found also none

       

      Here is the chain i found manually

      *.b.ssl.fastly.net

      GlobalSign Organization Validation CA (valid until 20.02.2024)

      GlobalSign Root CA (valid until 28.1.2028)

       

      Is there any way to find the reason why this url is blocked by expired CA Certificates Property?

       

      Frank

        • 1. Re: Finding expired CA Certifcates
          asabban

          Hi Frank,

           

          I have checked with a default MWG and I can reach the URL without a problem. Do you use the McAfee Maintained CA list or do you have your own list of CAs?

           

          This might happen if there is a CA that expires, but the CA owner issues a new CA certificate with a new expiration date but all other details remain. So you have two CA certificates that look identical, but in MWG you may have stored the old expired CA, so MWG uses this CA rather than the new one. In such a case you have to remove the expired CA and insert the new copy of the CA certificate. We had this in the past with a couple of certificates.

           

          I have checked the McAfee Maintained CA list but I cannot find expired entries. That's why I ask if you use your own list.

           

          Please let me know. Feel free to contact me via eMail (firstname dot lastname at intel dot com, in case you can't remember). I am happy to help sorting this out.

           

          Best,

          Andre

          • 2. Re: Finding expired CA Certifcates
            feickholt

            You are right.... We used the old and subscribed list together. I removed the old one and now it works as expected.

            Nevertheless, are there any ways to find the expired CA if there is real a problem with it?

            • 3. Re: Finding expired CA Certifcates
              asabban

              Hi Frank,

               

              unfortunately that is not really easy. There are several problems that make identifying difficult:

               

              - There is no property that will display the certificate caused an incident

              - There is no property that will show the complete certificate chain

              - Depending on what certificates are in the local "CA store" you might get different chains when you access via MWG compared to a direct access with your browser

              - In the lists we only refer the names and the names are not unique

               

              The good thing is that the McAfee Maintained list is checked for expired CAs on a daily basis and expired CAs are removed and/or replaced automatically.If they are replaced acess will simply work, if they are removed (because there is no successor) access will fail as "Untrusted Certificate", which means that:

               

              - We will review and correct after submission

              - You can browse to the site without MWG and manually add the missing CAs to your local list (MWG will not have incorrect expired certificates in its "CA store")

               

              Note: If a CA is expired and there is no successor likely the site owner will have switched to a different certificate signed by another CA.

               

              Best,

              Andre