20101112: VeriSign announces issues about SGC certificates issuance
VeriSign nnounces that after its roots migration on October 10th, an issue has been found in the provided certification chain. It affects certificates issued via TBS Internet between October 10th and November 11th 2010:- VeriSign Secure Site Pro
- VeriSign Secure Site Pro EV
- Thawte SuperCert
In order to get the guaranteed 128-bit encryption level on these browsers, the intermediate certificate needs to be replaced (VeriSign Class 3 PPCA G5 (cross) v2010-1) by the new intermediate certificate (VeriSign Class 3 PPCA G5 (cross) v2010-2).
To do so, go on your certificate status page (go on your status page) and download the new certification chain. According to your server software you can either:
- replace the chain file by the new one,
- or specificaly replace the intermediate certificate named subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Even if it is not necessary, some might want to reissue theirs certificate and re-install it whith the new chain, see Reissuance.
Am I impacted?
Each of interested customer received an email on November 12th, 2010.
I am a TBS-Internet customer, am I really impacted?
if you followed the installation instructions provided by TBS Internet, you are probably not impacted. indeed, TBS never released to its customer the incriminated certificate (VeriSign Class 3 PPCA G5 (cross) v2010-1) but used the VeriSign Class 3 PPCA G5 (cross) v2009, that actually works fine under Netscape 4.x as under the other platforms. Check your certification chain if you have any doubt.
What can happen if I choose not to update?
Your certificate will work normally, with 128-bit enforcement, execpt for Netscape 4.0.1 to 4.7, that will have a lower encryption level.
Did VeriSign published an official information about this issue?
YES: VeriSign notice and Thawte notice
Last edited on 08/13/2014 13:22:57 --- [search]