Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Intermediate Certificates

From: "Bukowski, David" <bukowski () COD EDU>
Date: Wed, 3 Jun 2020 16:36:35 +0000
Hello everyone.  I just wanted to bring this to the attention here that you all might want to verify that your websites 
have updated Intermediate Certificates.  I've now had multiple .EDU sites that are coming up being blocked by our IPS 
because the chain of trust is broken due to certificates being expired on 5/30/2020 at about 1000 UTC.


You can test and find out if your websites are broken with the Qualys SSL l

Labs SSL test:  https://ssllabs.com/ssltest/


Check the certificate chain part, not just your certificate, but the intermediate certificates as well.


Here is a write up by Naked Security (Sophos) about this subject.  I discovered this yesterday before they even wrote 
the article, but its nice they wrote this up.  So make sure to check ALL your sites that have certs (main page, vpn 
portals, email, etc).  As your networks evolved you may have different intermediates.   Just a heads up because I am 
not making an exception and have already sent email off to one IT department, but don't plan on doing it to all the 
.EDU sites, so figure this is the best way.  Feel free to pass this information on to other education and even 
commercial sites.


https://nakedsecurity.sophos.com/2020/06/02/the-mystery-of-the-expiring-sectigo-web-certificate/


Stay safe and healthy everyone!


-Dave

<https://nakedsecurity.sophos.com/2020/06/02/the-mystery-of-the-expiring-sectigo-web-certificate/>

[https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2020/06/lock-1200.jpg?w=775]<https://nakedsecurity.sophos.com/2020/06/02/the-mystery-of-the-expiring-sectigo-web-certificate/>

The mystery of the expiring Sectigo web certificate – Naked 
Security<https://nakedsecurity.sophos.com/2020/06/02/the-mystery-of-the-expiring-sectigo-web-certificate/>
nakedsecurity.sophos.com
If you're getting TLS connection errors that suddenly started this weekend, a tired old encryption library might be the 
problem.


David Bukowski

Network Analyst

Information Technology

College of DuPage

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Previous By Date Next
Previous By Thread Next

Current thread: