Skip to Content [alt-c]
In reply to Comment by Reader F30
Are you aware that there is at least one other current Root CA which used to be cross-signed by "AddTrust External CA Root" - "COMODO RSA Certification Authority"? (https://crt.sh/?id=1720081 , old cross-signed cert is https://crt.sh/?id=1044348 )
Yes. https://whatsmychaincert.com will catch this case.
Additionally there is another variant of the "USERTrust RSA Certification Authority" cert (https://crt.sh/?id=1282303295 ) issued by the "AAA Certificate Services" Root CA (https://crt.sh/?id=331986 ). That one should still be valid until 2028.
Including this certificate in your chain is a good option if you need to support really old clients that don't have "USERTrust RSA Certification Authority" in their trust stores. However, there's a caveat: since "AAA Certificate Services" isn't enabled for EV by Apple, Mozilla, or Chrome, your expensive EV certificate might not get EV treatment. That said, EV certificates are silly ;-)
However, cURL on macOS 10.14 (built against LibreSSL 2.6.5) also fails to connect to servers sending a security chain containing the latter. This is interesting, since "AddTrust External CA Root" never occurs in that chain. One example for it is https://electroncash.org/
The chain that I see ends in "AddTrust External CA Root" not "AAA Certificate Services".
Reply
Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible.
Your Name: (Optional; will be published)
Your Email Address: (Optional; will not be published)
Your Website: (Optional; will be published)
monospaced
Post a Reply
Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible.