Jul 21, 2020
On Saturday 30th May, two certificates expired: the 'AddTrust External CA Root' and the 'COMODO RSA Certification Authority'. Both are intermediate certificates that are used worldwide. According to the CA authority's preliminary announcement, 'modern clients', such as up-to-date browsers and Java clients, should remain unaffected. Unfortunately, the connection between systems did suffer from this.
It turned out that the software configuration that validates these certificates had not been updated in time. MCX have since adjusted this configuration to ensure all connections operate as normal.
Expired certificates do usually not cause problems, however, in this case, the problem resided in the 'certificate chain'. Certificates, just like passports, are issued by organisations that are authorized to do so. Due to the growth of the Internet, it had been decided to subcontract part of the issuance of certificates to 'intermediaries'. The picture below shows, at a high level, the relationship between the various types of certificates, including their average lifespan.
As indicated above, the problem could be traced back to the server software, which had been insufficiently updated. As a result, connection errors occurred between servers.
For further information, please visit https://nakedsecurity.sophos.com/2020/06/02/the-mystery-of-the-expiring-sectigo-web-certificate (Note: Sectigo is Comodo's new name).