New Sophos Support Phone Numbers in Effect July 1st, 2023

expired Root CA "DigiCert SHA2 Secure Server CA"

Noticed some issues today with some popular SSL sites (linkedin, live, . These issues existed for some days but no one complained.

The traffic was scanned by TLS/DPI engine and the servers had certificates issued by "DigiCert SHA2 Secure Server CA"

Thic CA cert is not included in SFOS by default. So probably this is no issue for most users. We uploaded it a while ago because there were some sites not serving the full CA chain, causing issues.

It has expired on 2023 March 8th. So we needed to replace it today.

The old cert:

Issuer: DigiCert Global Root CA
Valid until: 08/Mar/2023
Serial #: 01:FD:A3:EB:6E:CA:75:C8:88:43:8B:72:4B:CF:BC:91
SHA1 Fingerprint: 1F:B8:6B:11:68:EC:74:31:54:06:2E:8C:9C:C5:B1:71:A4:B7:CC:B4

The new cert:

Issuer: DigiCert Global Root CA
Valid until: 22/Sep/2030
Serial #: 02:74:2e:aa:17:ca:8e:21:c7:17:bb:1f:fc:fd:0c:a0
SHA1 Fingerprint: : 62:6D:44:E7:04:D1:CE:AB:E3:BF:0D:53:39:74:64:AC:80:80:14:2C

on SFOS GUI:

The error:

  • bitmask="Expired"
  • key_type="KEY_TYPE__RSA"
  • key_param="RSA 2048 bits"
  • fingerprint="1f:cd:8f:f2:82:0b:b9:19:6b:de:ad:66:b4:f9:b0:8b:f0:91:ff:6c"
  • resumed="0"
  • cert_chain_served="TRUE"
  • cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  • sni="www linkedin com"
  • tls_version="TLS1.2"
  • reason="Blocked due to invalid TLS certificate


Edited TAGs
[edited by: emmosophos at 11:18 PM (GMT -7) on 27 Mar 2023]