������

June 2020 Update: With a large number of sites affected by the recent , we thought it would be valuable to again share this guide on intermediate TLS/SSL certificates in the certificate chain. Note that . For more information on root certificates, read The Impacts of Root Certificate Expiration.

Orignal 2014 Content

On July 26, 2014 at 12:15 PM, some customers and users on sites secured by ������ reported that they were getting an untrusted certificate error.

The problem is related to a locally installed legacy intermediate certificate that is no longer used and no longer required for the certificate installation. The problem can��affect any client platform with a locally cached or installed intermediate certificate.

So far we've seen the issue happen with:

• Clients (mainly OS X) with the expired intermediate installed in their local keychain.
• Server-to-server connections on Windows environments, where one server still has the legacy certificate installed.

Expired Legacy Intermediate Certificate

The expired certificate in question is the “������ High Assurance EV Root CA" [Expiration July 26, 2014] certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices.

This certificate has not been used for over three years and is unnecessary for installations.

From additional information, users affected appear to have��the expired intermediate in the��‘login’ keychain or stored locally on their server or in have the expired intermediate installed on a backend server or application.

Fixing the expired intermediate��certificate on Mac OS X

The errors on Mac OS X are due to a locally installed intermediate certificate in the login keychain.

OS X users can resolve the issue by deleting the certificate from their Login keystore using Keychain Access.

In Keychain Access go to View -> Show Expired Certs and search for '������ High" to find the ������ High Assurance EV Root CA that expired on July 26, 2014. Delete this certificate and close Keychain Access.

(Credit to Allen Hancock for the solution in picture form and others who jumped in with responses)

��

Repair Intermediate Certificate on Windows, Exchange, ISA, TMG, Lync

Administrators running Windows/Exchange with an ISA server or TMG can run the��.

Affected servers will produce the warning, "Your server is not sending the right intermediate certificates." On��Windows servers, this can be resolved using the .

When the Utility runs on your server, a warning may appear. Click “Action Required” and “OK” to delete the expired intermediate and enable the correct certificate chain. The server will most likely need to reboot for the change to take effect.

If you are unable to run the utility, you can manually delete the ������ High Assurance EV Root CA certificate expiring on July 26, 2014 to��resolve this issue. You do not need to reissue your certificate.

Fixing the expired intermediate��certificate on Apache

Administrators on��Apache, can��replace the SSLCertificateChainFile with the correct ������CA.crt provided with the certificate received from ������, which may downloads from your ������ account under your order details.

No action required for most certificate installations

All current installations of��certificates issued by ������ include the most up-to-date intermediates in order to establish trust with browsers.

But administrators��who received the notifications from ������ should remove the expired legacy intermediate from their server to avoid any potential conflicts.

If you have details on other affected platforms, ��so we can get additional details and update our documentation for��other users to resolve the cached intermediate error.

If you need assistance with this or any other issues, is always happy to help.