Our product line uses TLS for secure communication. Two certificates validate our TLS chains, including a primary certificate that expires in 2038 and a secondary certificate that expired at 10:48 GMT on May 30, 2020. If either certificate, or both, are present in your environment, TLS functions correctly before May 30, 2020. After May 30, 2020, only the primary certificate is valid. Out of an abundance of caution, we're informing customers of this event.

Generally, certificates are auto-updated through operating systems and customers aren't impacted. But, customers might see an impact in environments when the following hold true:

• Automatic management of root certificates is disabled.
• The primary certificate isn't manually deployed.

The primary certificate that needs to be validated in a customer's environment is as below.

Subject	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
Thumbprint	2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Expiration	2038-01-18 5:59:59 PM

 
The certificate replacing the secondary certificate is as below.

Subject	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB
Thumbprint	D1EB23A46D17D68FD92564C2F1F1601764D8E349
Expiration	Sunday, ‎December 3‎1, ‎2028 23:59:59 PM

FAQs

What's the immediate action that I need to take?
You need to make sure that you have the primary certificate installed in your environment for all Windows systems.

How do I figure out if a system has an updated root certificate, and can I update it remotely?
To determine whether the system has the updated root certificate, see KB92948 - How to check if a system has an updated root certificate and apply the certificate from Group Policy. The article also describes how you can apply the fix using Group Policy.

Are Linux environments impacted?
The certificate expiration doesn't impact Linux environments that use Endpoint Security for Linux Threat Prevention or VirusScan Enterprise for Linux. 

Are macOS environments impacted?
For Endpoint Security for Mac environments, see KB92950 - Endpoint Security for Mac Global Threat Intelligence queries fail after a root certificate expired on May 30, 2020.

Why is the certificate not updated automatically?
By default, the Windows update automatically updates the trusted root certificates. Administrators can choose to disable this feature in favor of managing their environments' certificates manually. Also, some environments might have limited or no internet connectivity for the Windows updates to automatically update the certificate stores.

Does the update of the certificate require a reboot?
No. A reboot isn't needed after you update the certificate.

Does this affect manageability from ePolicy Orchestrator (ePO)?
ePO manageability isn't affected. For the possible issue with ePO, see KB92954 - Some ePO features or integrations might start to fail after May 29, 2020.