Our product line uses TLS for secure communication. Two certificates validate our TLS chains, including a primary certificate that expires in 2038 and a secondary certificate that expired at
10:48 GMT on May 30, 2020. If either certificate, or both, are present in your environment, TLS functions correctly before May 30, 2020. After May 30, 2020, only the primary certificate is valid. Out of an abundance of caution, we're informing customers of this event.
Generally, certificates are auto-updated through operating systems and customers aren't impacted. But, customers might see an impact in environments when the following hold true:
- Automatic management of root certificates is disabled.
- The primary certificate isn't manually deployed.
The primary certificate that needs to be validated in a customer's environment is as below.
Subject |
CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US |
Thumbprint |
2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E |
Expiration |
2038-01-18 5:59:59 PM |
The secondary certificate that has expired is as below.
Subject |
CN = AddTrust External CA Root OU = AddTrust External TTP Network O = AddTrust AB C = SE |
Thumbprint |
02faf3e291435468607857694df5e45b68851868 |
Expiration |
Saturday, May 30, 2020 4:18:38 PM |
The certificate replacing the secondary certificate is as below.
Subject |
CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB |
Thumbprint |
D1EB23A46D17D68FD92564C2F1F1601764D8E349 |
Expiration |
Sunday, December 31, 2028 23:59:59 PM |
FAQs
What's the immediate action that I need to take?
You need to make sure that you have the primary certificate installed in your environment for all Windows systems.
How do I figure out if a system has an updated root certificate, and can I update it remotely?
To determine whether the system has the updated root certificate, see
KB92948 - How to check if a system has an updated root certificate and apply the certificate from Group Policy. The article also describes how you can apply the fix using Group Policy.
Are Linux environments impacted?
The certificate expiration doesn't impact Linux environments that use Endpoint Security for Linux Threat Prevention or VirusScan Enterprise for Linux.
Are macOS environments impacted?
For Endpoint Security for Mac environments, see
KB92950 - Endpoint Security for Mac Global Threat Intelligence queries fail after a root certificate expired on May 30, 2020.
Why is the certificate not updated automatically?
By default, the Windows update automatically updates the trusted root certificates. Administrators can choose to disable this feature in favor of managing their environments' certificates manually. Also, some environments might have limited or no internet connectivity for the Windows updates to automatically update the certificate stores.
Does the update of the certificate require a reboot?
No. A reboot isn't needed after you update the certificate.
Does this affect manageability from ePolicy Orchestrator (ePO)?
ePO manageability isn't affected. For the possible issue with ePO, see
KB92954 - Some ePO features or integrations might start to fail after May 29, 2020.