Sectigo Root Cert Expires and Online Chaos Ensues


Thread author
Staff member
Malware Hunter
Jul 27, 2015
On Saturday, at 10:48 UTC, Sectigo's AddTrust legacy root certificate expired, causing a bit of weekend havoc for thousands of websites and services that rely on it for making a secure TLS/SSL connection.

"Generally speaking, this is affecting older, non-browser clients (notably OpenSSL 1.0.x) which talk to TLS servers which serve a Sectigo certificate chain ending in the expired certificate," wrote Andrew Ayer, founder of SSLMate, in a blog post. When connecting to a TLS server, the server sends a certificate to the client to establish its identity, and an intermediate certificate that links the server cert to a trusted root certificate. This forms a chain of trust. When that chain breaks – because a certificate is invalid or missing – errors occur. After the AddTrust External CA Root and the USERTrust RSA CA intermediate certificate expired, applications like Red Hat Enterprise Linux 7, Roku's streaming media service, and Algolia, started having problems.

Users of the RoboForm password manager found they could not connect to the RoboForm server.