Some customers and users on sites secured by DigiCert reported that they were getting an untrusted certificate error.
The problem is related to a locally installed legacy intermediate certificate that is no longer used and no longer required for the certificate installation. The problem can affect any client platform with a locally cached or installed intermediate certificate.
UPDATE: So far we’ve seen the issue happen with:
- Clients (mainly OS X) with the expired intermediate installed in their local keychain.
- Server-to-server connections on Windows environments, where one server still has the legacy certificate installed.
Expired Legacy Intermediate Certificate
The expired certificate in question is the “DigiCert High Assurance EV Root CA” [Expiration July 26, 2014, for example] certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices.
This certificate has not been used for over three years and is unnecessary for installations.
From additional information, users affected appear to have the expired intermediate in the ‘login’ keychain or stored locally on their server or in have the expired intermediate installed on a backend server or application.
Fixing the expired intermediate certificate on Mac OS X
The errors on Mac OS X are due to a locally installed intermediate certificate in the login keychain.
OS X users can resolve the issue by deleting the certificate from their Login keystore using Keychain Access.
In Keychain Access go to View -> Show Expired Certs and search for ‘DigiCert High” to find the DigiCert High Assurance EV Root CA that expired on July 26, 2014. Delete this certificate and close Keychain Access.
(Credit to Allen Hancock @yesthatallen for the solution in picture form and others who jumped in with responses)
Repair Intermediate Certificate on Windows, Exchange, ISA, TMG, Lync
If you do not wish to download and run the DigiCert Utility, you can manually delete the DigiCert High Assurance EV Root CA certificate expiring on [July 26, 2014] to resolve this issue. You do not need to reissue your certificate.
Administrators running Windows/Exchange with an ISA server or TMG can run the DigiCert SSL Installation Diagnostics Tool.
Affected servers will produce the warning, “Your server is not sending the right intermediate certificates.” On Windows servers, this can be resolved using the DigiCert Utility.
When the Utility runs on your server, a warning may appear. Click “Action Required” and “OK” to delete the expired intermediate and enable the correct certificate chain. The server will most likely need to reboot for the change to take effect.