Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

expired Root CA "DigiCert SHA2 Secure Server CA"

Noticed some issues today with some popular SSL sites (linkedin, live, . These issues existed for some days but no one complained.

The traffic was scanned by TLS/DPI engine and the servers had certificates issued by "DigiCert SHA2 Secure Server CA"

Thic CA cert is not included in SFOS by default. So probably this is no issue for most users. We uploaded it a while ago because there were some sites not serving the full CA chain, causing issues.

It has expired on 2023 March 8th. So we needed to replace it today.

The old cert:

Issuer: DigiCert Global Root CA
Valid until: 08/Mar/2023
Serial #: 01:FD:A3:EB:6E:CA:75:C8:88:43:8B:72:4B:CF:BC:91
SHA1 Fingerprint: 1F:B8:6B:11:68:EC:74:31:54:06:2E:8C:9C:C5:B1:71:A4:B7:CC:B4

The new cert:

Issuer: DigiCert Global Root CA
Valid until: 22/Sep/2030
Serial #: 02:74:2e:aa:17:ca:8e:21:c7:17:bb:1f:fc:fd:0c:a0
SHA1 Fingerprint: : 62:6D:44:E7:04:D1:CE:AB:E3:BF:0D:53:39:74:64:AC:80:80:14:2C


The error:

  • bitmask="Expired"
  • key_type="KEY_TYPE__RSA"
  • key_param="RSA 2048 bits"
  • fingerprint="1f:cd:8f:f2:82:0b:b9:19:6b:de:ad:66:b4:f9:b0:8b:f0:91:ff:6c"
  • resumed="0"
  • cert_chain_served="TRUE"
  • cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  • sni="www linkedin com"
  • tls_version="TLS1.2"
  • reason="Blocked due to invalid TLS certificate

This thread was automatically locked due to age.