文章段落
近期有一些使用Sectigo (之前為Comodo CA)憑證的用戶,會發現自己的Application若是有使用Sectigo憑證去進行SSL連線(如web, email)時,會跳出error messages,進而造成SSL連線失敗,這是由於Sectigo的Root Certificate使用的是legacy AddTrust External CA Root certificate,其效期已於2020年5月30日失效。
大部分較新的Clients,早在2015年時就會收到新的憑證安全性更新 (Security Updates),並將此Root Certificate由 AddTrust 更新為 USERTrust (效期至2038年有效)。然而,仍有少數的使用者並沒有收到安全性更新,可能因為舊版Clients無法更新或其他特殊原因,故仍然受到此Root Certificate過期的影響。
這篇文章主要是針對Sectigo AddTrust External CA Root因過期所無法正確驗證憑證的用戶提供相對應的解決辦法。
信任鏈關係的變更
如下圖一所示,過往的AddTrust External CA Root因有效時間僅到2020年5月30日,同時USERTrust RSA Certification Authority也是相同的情形。
在5/30之後,也就是2020年6月1日開始,我們會需要改成如下圖二的憑證信任鏈結構。
解決作法:
由於舊的Root Certificate過期,我們會需要更換至新的Root Certificate。
Root Certificate:
Sectigo官網提供了新的Root Certificate供使用者下載做更新。
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO
- 首先先進到Secitgo的頁面,找到Root Certificates的區塊。
2. 選擇: [Download] SHA-2 Root : USERTrust RSA Certification Authority。
3. 下載後可以看一下內容,大致是如這樣:
圖四、USERTrust Root CA 
圖五、USERTrust crt內容
Intermediate Certificate:
中繼憑證的部分我們則可以透過Internet2的官網下載。
https://spaces.at.internet2.edu/display/ICCS/InCommon+Cert+Types
- 首先進到Internet2的頁面,找到SSL/TLS Certificates的區塊。
2. 選擇:InCommon RSA Server CA [PEM]。
3. 內容大致如下:
圖七、InCommon RSA Server CA 
圖八、InCommon crt 內容
完整的Root Certificate + Intermediate Certificate 可重新組合成 Full Chain,變成一個CA Bundle,檔名我們可以取名為full.crt。
接著,我們可以透過crl2pkcs7 指令將CRT轉換成PKCS#7,再透過pkcs7指令將憑證的issuer顯示出來,上半部為Root Certificate的部分,下半部則為Intermediate Certificate。
$ openssl crl2pkcs7 -nocrl -certfile full.crt | openssl pkcs7 -print_certs -text -nooutCloudAce-MB-Pro:$ openssl crl2pkcs7 -nocrl -certfile full.crt | openssl pkcs7 -print_certs -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Validity
Not Before: Feb 1 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:80:12:65:17:36:0e:c3:db:08:b3:d0:ac:57:0d:
76:ed:cd:27:d3:4c:ad:50:83:61:e2:aa:20:4d:09:
2d:64:09:dc:ce:89:9f:cc:3d:a9:ec:f6:cf:c1:dc:
f1:d3:b1:d6:7b:37:28:11:2b:47:da:39:c6:bc:3a:
19:b4:5f:a6:bd:7d:9d:a3:63:42:b6:76:f2:a9:3b:
2b:91:f8:e2:6f:d0:ec:16:20:90:09:3e:e2:e8:74:
c9:18:b4:91:d4:62:64:db:7f:a3:06:f1:88:18:6a:
90:22:3c:bc:fe:13:f0:87:14:7b:f6:e4:1f:8e:d4:
e4:51:c6:11:67:46:08:51:cb:86:14:54:3f:bc:33:
fe:7e:6c:9c:ff:16:9d:18:bd:51:8e:35:a6:a7:66:
c8:72:67:db:21:66:b1:d4:9b:78:03:c0:50:3a:e8:
cc:f0:dc:bc:9e:4c:fe:af:05:96:35:1f:57:5a:b7:
ff:ce:f9:3d:b7:2c:b6:f6:54:dd:c8:e7:12:3a:4d:
ae:4c:8a:b7:5c:9a:b4:b7:20:3d:ca:7f:22:34:ae:
7e:3b:68:66:01:44:e7:01:4e:46:53:9b:33:60:f7:
94:be:53:37:90:73:43:f3:32:c3:53:ef:db:aa:fe:
74:4e:69:c7:6b:8c:60:93:de:c4:c7:0c:df:e1:32:
ae:cc:93:3b:51:78:95:67:8b:ee:3d:56:fe:0c:d0:
69:0f:1b:0f:f3:25:26:6b:33:6d:f7:6e:47:fa:73:
43:e5:7e:0e:a5:66:b1:29:7c:32:84:63:55:89:c4:
0d:c1:93:54:30:19:13:ac:d3:7d:37:a7:eb:5d:3a:
6c:35:5c:db:41:d7:12:da:a9:49:0b:df:d8:80:8a:
09:93:62:8e:b5:66:cf:25:88:cd:84:b8:b1:3f:a4:
39:0f:d9:02:9e:eb:12:4c:95:7c:f3:6b:05:a9:5e:
16:83:cc:b8:67:e2:e8:13:9d:cc:5b:82:d3:4c:b3:
ed:5b:ff:de:e5:73:ac:23:3b:2d:00:bf:35:55:74:
09:49:d8:49:58:1a:7f:92:36:e6:51:92:0e:f3:26:
7d:1c:4d:17:bc:c9:ec:43:26:d0:bf:41:5f:40:a9:
44:44:f4:99:e7:57:87:9e:50:1f:57:54:a8:3e:fd:
74:63:2f:b1:50:65:09:e6:58:42:2e:43:1a:4c:b4:
f0:25:47:59:fa:04:1e:93:d4:26:46:4a:50:81:b2:
de:be:78:b7:fc:67:15:e1:c9:57:84:1e:0f:63:d6:
e9:62:ba:d6:5f:55:2e:ea:5c:c6:28:08:04:25:39:
b8:0e:2b:a9:f2:4c:97:1c:07:3f:0d:52:f5:ed:ef:
2f:82:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha384WithRSAEncryption
5c:d4:7c:0d:cf:f7:01:7d:41:99:65:0c:73:c5:52:9f:cb:f8:
cf:99:06:7f:1b:da:43:15:9f:9e:02:55:57:96:14:f1:52:3c:
27:87:94:28:ed:1f:3a:01:37:a2:76:fc:53:50:c0:84:9b:c6:
6b:4e:ba:8c:21:4f:a2:8e:55:62:91:f3:69:15:d8:bc:88:e3:
c4:aa:0b:fd:ef:a8:e9:4b:55:2a:06:20:6d:55:78:29:19:ee:
5f:30:5c:4b:24:11:55:ff:24:9a:6e:5e:2a:2b:ee:0b:4d:9f:
7f:f7:01:38:94:14:95:43:07:09:fb:60:a9:ee:1c:ab:12:8c:
a0:9a:5e:a7:98:6a:59:6d:8b:3f:08:fb:c8:d1:45:af:18:15:
64:90:12:0f:73:28:2e:c5:e2:24:4e:fc:58:ec:f0:f4:45:fe:
22:b3:eb:2f:8e:d2:d9:45:61:05:c1:97:6f:a8:76:72:8f:8b:
8c:36:af:bf:0d:05:ce:71:8d:e6:a6:6f:1f:6c:a6:71:62:c5:
d8:d0:83:72:0c:f1:67:11:89:0c:9c:13:4c:72:34:df:bc:d5:
71:df:aa:71:dd:e1:b9:6c:8c:3c:12:5d:65:da:bd:57:12:b6:
43:6b:ff:e5:de:4d:66:11:51:cf:99:ae:ec:17:b6:e8:71:91:
8c:de:49:fe:dd:35:71:a2:15:27:94:1c:cf:61:e3:26:bb:6f:
a3:67:25:21:5d:e6:dd:1d:0b:2e:68:1b:3b:82:af:ec:83:67:
85:d4:98:51:74:b1:b9:99:80:89:ff:7f:78:19:5c:79:4a:60:
2e:92:40:ae:4c:37:2a:2c:c9:c7:62:c8:0e:5d:f7:36:5b:ca:
e0:25:25:01:b4:dd:1a:07:9c:77:00:3f:d0:dc:d5:ec:3d:d4:
fa:bb:3f:cc:85:d6:6f:7f:a9:2d:df:b9:02:f7:f5:97:9a:b5:
35:da:c3:67:b0:87:4a:a9:28:9e:23:8e:ff:5c:27:6b:e1:b0:
4f:f3:07:ee:00:2e:d4:59:87:cb:52:41:95:ea:f4:47:d7:ee:
64:41:55:7c:8d:59:02:95:dd:62:9d:c2:b9:ee:5a:28:74:84:
a5:9b:b7:90:c7:0c:07:df:f5:89:36:74:32:d6:28:c1:b0:b0:
0b:e0:9c:4c:c3:1c:d6:fc:e3:69:b5:47:46:81:2f:a2:82:ab:
d3:63:44:70:c4:8d:ff:2d:33:ba:ad:8f:7b:b5:70:88:ae:3e:
19:cf:40:28:d8:fc:c8:90:bb:5d:99:22:f5:52:e6:58:c5:1f:
88:31:43:ee:88:1d:d7:c6:8e:3c:43:6a:1d:a7:18:de:7d:3d:
16:f1:62:f9:ca:90:a8:fd
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:20:d0:fa:85:46:1a:7e:17:a1:64:02:91:84:63:74
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Validity
Not Before: Oct 6 00:00:00 2014 GMT
Not After : Oct 5 23:59:59 2024 GMT
Subject: C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon, CN=InCommon RSA Server CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:1b:f1:bb:2f:7f:63:18:15:51:51:54:0f:9e:
c5:4e:4d:10:58:fa:30:9b:17:29:90:e6:33:0c:ac:
13:53:7c:54:91:b4:ea:d8:6e:9b:89:6d:bb:33:3e:
8f:d2:0d:a6:e9:f9:ba:e9:0d:0c:1a:9e:b2:8e:c9:
70:2e:ef:1e:05:7d:95:eb:2d:8d:a2:a9:4d:b3:9c:
e7:f3:19:36:bb:a7:f1:7c:e6:08:1e:61:27:44:7a:
96:f4:a8:34:db:e2:42:c8:a5:db:37:d5:b5:e7:e4:
42:72:3f:b4:13:cf:8b:07:24:45:1e:8c:91:83:46:
b9:09:a6:fc:18:a3:06:02:ec:34:8d:32:66:95:27:
ea:e1:97:e8:db:35:a3:2b:56:eb:57:e8:f0:10:59:
df:6d:70:0c:66:6a:d0:64:e5:a8:a3:98:31:ad:1d:
62:d5:fa:92:e3:9a:43:cd:2d:35:fb:d9:9e:33:5b:
45:7d:c4:86:28:2c:66:12:c8:db:0f:19:30:0d:3f:
e9:f0:ea:4a:5e:40:07:c7:f6:20:7a:53:78:81:64:
7a:7e:45:6a:16:6f:f4:93:58:c9:62:fb:29:27:7d:
a1:7f:21:ce:e7:4f:47:d6:8a:56:e0:e3:66:f8:ec:
dd:89:dc:26:8c:19:68:3b:8d:8b:e2:fb:47:23:0b:
7f:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
X509v3 Subject Key Identifier:
1E:05:A3:77:8F:6C:96:E2:5B:87:4B:A6:B4:86:AC:71:00:0C:E7:38
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
Policy: 2.23.140.1.2.2
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
Authority Information Access:
CA Issuers – URI:http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
OCSP – URI:http://ocsp.usertrust.com
Signature Algorithm: sha384WithRSAEncryption
2d:11:06:38:d6:db:d7:58:68:af:aa:38:67:17:8d:e2:13:d7:
a3:14:24:d9:06:13:eb:eb:91:2f:df:4f:67:2d:c8:d3:14:d7:
56:65:52:9e:6e:1f:98:08:8e:9a:48:1b:c1:8b:59:9a:a3:57:
9b:db:86:f8:59:40:fc:19:b0:75:11:2a:c2:12:36:ba:8e:72:
8a:06:4e:27:b7:8d:58:14:d1:6f:b4:f9:68:fc:98:dd:a4:9c:
25:40:36:de:bd:17:66:2b:03:7f:78:81:b1:80:74:9e:5f:3a:
b4:26:2f:6a:48:84:36:34:8e:a7:28:ef:87:f3:61:e7:db:67:
f5:52:db:d7:d1:e6:30:71:bb:8b:a3:d4:ff:b9:64:89:9e:9b:
81:9b:8f:57:b8:64:4c:d5:06:19:8e:e7:91:85:7c:18:d1:89:
d8:f6:ea:1d:68:14:11:d9:ee:17:83:1f:50:63:cf:0e:f6:86:
2a:6e:e3:b1:a4:c9:fa:f6:34:4c:77:2a:80:86:30:b0:a3:dc:
1b:71:ec:04:a7:e4:98:bc:16:85:3e:84:26:b3:c0:e5:35:55:
7e:79:98:a3:d4:d4:8d:b6:e7:42:e8:44:20:12:37:5f:09:c9:
fb:03:e4:f5:65:74:96:ed:ca:b9:b3:f6:09:ff:4c:a6:d1:5d:
3a:fc:d1:4d:aa:e4:98:72:be:38:4b:7f:89:4e:26:8f:d4:cc:
be:56:09:71:03:4a:6c:a3:e2:35:86:dd:1e:d9:f1:31:03:f7:
13:4d:0b:11:81:31:79:cc:7a:d7:be:dc:fb:f3:76:1b:2c:bd:
b3:91:0f:00:59:07:2a:20:43:dc:4b:d8:b5:19:14:8f:e2:7a:
84:29:d1:43:3f:2f:cc:df:3f:9d:bb:bd:68:c4:ce:e0:cd:e7:
1c:31:32:78:62:fa:f0:93:a2:1e:c9:d7:9f:68:e5:a8:76:f6:
63:fe:68:99:ef:ba:36:d7:12:71:9a:9e:b3:71:1f:3b:be:00:
63:9e:3d:5f:21:c2:b1:86:1b:b8:4e:21:c3:c3:43:09:2e:63:
0c:cd:ff:14:f6:f6:22:e9:fd:ca:9f:f5:98:44:b6:41:9c:41:
c2:08:98:7d:db:a0:9f:22:7e:c0:a7:49:bb:b4:18:1f:4b:d3:
a6:2a:87:b9:5c:ca:f2:83:4c:40:03:b2:52:1a:79:21:08:37:
18:4e:d9:8d:5f:99:c6:05:5f:f1:6a:ae:ba:75:5a:78:47:3a:
3a:65:5e:e5:c4:d0:e3:da:d2:eb:5a:28:2d:b9:02:99:60:a2:
6f:3c:2f:66:7c:98:45:9c:c9:fa:01:ef:32:8e:7c:3e:f9:f4:
03:7b:24:a6:56:09:8c:24
我們可以看到上半部中,Root Certificate的Subject 和下半部 Intermediate Certificate的Issuer皆為:
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
如此一來我們可以將其視為吻合。最後再將原先的End Entity (Server certificate)拿去跟CA Bundle驗證。
$openssl verify -CAfile full.crt cert.crtCloudAce-MB-Pro:$ openssl verify -CAfile full.crt cert.crt
cert.crt: OK
顯示OK,驗證通過。
此篇文章主要是針對有使用Sectigo (過去為Comodo CA)的憑證用戶,因為AddTrust Root Certificate 過期的問題提供解決辦法,由於終端憑證(End Entity)是沒有過期仍然為有效的,我們僅需要將Root Certificate換成新的USERTrust Root Certificate便可以解決,希望透過這篇文章能幫助到近期遭遇到此問題的使用者。
Update 2020/9/14 :
近期有讀者來信,訊問了我們以下問題,我們整理之後,將回答列於下方。
若大家有問題,可以直接在底下留言詢問喔!
1. 请问在mac 里如何查看文中提到的“USERTrust RSA Certification Authority” 和 “InCommon RSA Server CA”两个证书的crt内容?
A1. 憑證的內容其實是一個文字檔,所以只需要用任何文字編輯器便可以瀏覽。
例如我本身是使用Sublime Text這套文字編輯軟體:
2. 在哪里将两个证书的crt内容合并起来生成一个新的文件?
A2: 一樣可以透過文字編輯器將兩個證書的內容合併起來,方法就跟一般的文檔編輯一樣,複製貼上裡面的內容後另存檔案即可。
如果有需要專案開發、技術支援的話,可以填寫聯繫表單與我們聯繫
https://bit.ly/blog-contact-Cloud-Ace
Reference:
support.sectigo.com. (n.d.). Sectigo Knowledge Base. [online] Available at: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO [Accessed 1 Jun. 2020].
spaces.at.internet2.edu. (n.d.). InCommon Cert Types – InCommon Certificate Service – Internet2 Wiki. [online] Available at: https://spaces.at.internet2.edu/display/ICCS/InCommon+Cert+Types [Accessed 1 Jun. 2020].
calnetweb.berkeley.edu. (n.d.). ADDTrust External Root Expiration May 2020 | CalNet – Identity and Access Management. [online] Available at: https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 [Accessed 1 Jun. 2020].
Steenis, S. van (2018). Get your certificate chain right. [online] Medium. Available at: https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce [Accessed 3 Jun. 2020].
因為eset算是3rd party的產品,所以不太確定。
如果其運作機制和本文提到的相同的話,應該會是一樣做法,
但還是詢問eset原廠會比較準喔,謝謝!
請問 我的是 eset ssl filter ca 也是一樣作法嗎?
Enjoyed reading the content above, actually explains everything in detail,
the article is extremely interesting and effective.
Thank you and good luck for the upcoming articles.
King regards,
Demir Valenzuela
Thank you for your referencing. 🙂
Pingback: 網站無法聯結Jetpack – IT型男日誌
這篇文章針對的是為AddTrust External CA Root的使用者因為此憑證過期的問題,進而提供的解決辦法,故若您有AddTrust External CA Root的話與新的USERTrust RSA Certification Authority即是Cross Signed Certificate。加到Server Certificate chain的方式便是透過文中的說明,先將新的Root Certificate(USERTrust RSA Certification Authority)下載,再將Intermediate Certificate (InCommon RSA Server CA)下載,將此兩個憑證合併即可。若您沒有AddTrust 那表示這篇文章可能不符合您的情形。
Hi Cloud Ace Marketing Team,
当我按照文中提供的步骤操作时出现了“USERTrust RSA Certification Authority 此根证书不被信任”的问题。我注意到文章的第1个参考文献里提到,“Note: Few legacy systems, that no longer receive any updates from their vendor, may not trust our SHA-2 Certificates. To enable them to trust our SHA-2 Certificates, we recommend our customers to include the Cross Signed Certificate into the Server Certificate chain. This will enable those legacy systems to trust our SHA-2 Certificates.” 我的问题是“ 1.怎么找到正确的 “Cross Signed Certificate”? 2. 如何将其加到“Server Certificate chain”里?(我的操作系统是 OS X EI Capitan 10.11.6). 非常感谢!