A root certificate expired on May 30, 2020

Jun 3, 2020  - written by  in Security

Up until May 30, 2020, there were two verification chains that were used to create a secure connection using a Gandi SSL certificate:

The first verification chain:

  • 1.1. Sep 11 23:59:59 2024 GMT Gandi Standard SSL CA 2
  • 1.2. May 30 10:48:38 2020 GMT USERTrust RSA Certification Authority
  • 1.3. May 30 10:48:38 2020 GMT AddTrust External CA Root

The second verification chain:

  • 2.1. Sep 11 23:59:59 2024 GMT Gandi Standard SSL CA 2
  • 2.2. Jan 18 23:59:59 2038 GMT USERTrust RSA Certification Authority

Be careful, certificates 1.1. and 2.2. appear to be identical, but they are two distinct versions. Even though the subjects and the hash are comparable, the expiration dates, the sender’s hash, and the fingerprints are different. This certificate, which exists in two different versions, is referred to as “cross-signed”.

Since May 30, 2020, it is no longer possible to validate a connection using the first verification chain. Consequently, using certificates 1.2 and 1.3. to initiate a connection will create a problem. This is something that can also arise in the configuration of a web server, for example.

As of that date, systems that no longer had the 2.2. certificate would be unable to establish a connection. 

A few temporary solutions exist to rectify this situation, though it is highly recommended that you update your platforms in order to pick up the second verification chain. This is the only functional solution.

Please don’t hesitate to contact our Customer Support team via our website if needed, and we will do our best to help you with this situation.