SSLv is presenting invalid certificates, specifically with Comodo and Addtrust root certificates.

book

Article ID: 191990

calendar_today

Updated On:

Products

SV-3800 SV-2800 SV-800 SV-1800 SSL Visibility Appliance Software

Issue/Introduction

When going to sites using AddTrust External CA Root and UserTrust_RSA, while going through a SSLV the session may get resigned by an untrusted certificate due to a certificate chain validation error. 

Cause

AddTrust CA Root and UserTrust_RSA certificate expired on May 30th, 2020.  Investigating possible issue with handling of cross-signed certificates.

Environment

SSLV inspecting traffic with certificate validation enabled. 

Resolution

A new trust package was released on June 2, 2020 that removes the expired certificates. Download the new trust package from the SSLV UI under PKI -> External Certificate Authorities -> Trust Package Update Status. 

If updated successfully the following message will be displayed, "Updated with new package". 

To verify which certificates were removed navigate to Monitor -> System log and search for "download_trust" by clicking on the magnifying glass.  

Additional Information

https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ