Skip to Content [alt-c]

Comment

In reply to Comment by Reader F30

Andrew Ayer on 2020-05-30 at 23:24:

Are you aware that there is at least one other current Root CA which used to be cross-signed by "AddTrust External CA Root" - "COMODO RSA Certification Authority"? (https://crt.sh/?id=1720081 , old cross-signed cert is https://crt.sh/?id=1044348 )

Yes. https://whatsmychaincert.com will catch this case.

Additionally there is another variant of the "USERTrust RSA Certification Authority" cert (https://crt.sh/?id=1282303295 ) issued by the "AAA Certificate Services" Root CA (https://crt.sh/?id=331986 ). That one should still be valid until 2028.

Including this certificate in your chain is a good option if you need to support really old clients that don't have "USERTrust RSA Certification Authority" in their trust stores. However, there's a caveat: since "AAA Certificate Services" isn't enabled for EV by Apple, Mozilla, or Chrome, your expensive EV certificate might not get EV treatment. That said, EV certificates are silly ;-)

However, cURL on macOS 10.14 (built against LibreSSL 2.6.5) also fails to connect to servers sending a security chain containing the latter. This is interesting, since "AddTrust External CA Root" never occurs in that chain. One example for it is https://electroncash.org/

The chain that I see ends in "AddTrust External CA Root" not "AAA Certificate Services".

Reply

Post a Reply

Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with ">" are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim.
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.