New: May 27, 2020
This is an alert for system and service IT administrators regarding a key certificate used with the Sectigo digital certificate service.
The AddTrust root certificate is a trust anchor that is used to enable the authentication and encryption protocol TLS, which, in turn, is used by many other protocols used for network connections between web, email, and other services.
We have discovered the certificate is expiring on May 30 and this may impact your production services. You may need to take action. Please read this entire advisory.
Protocols that use Sectigo certificates for TLS and, such as SMTP (email), LDAPS, Java keystores, and other custom uses will be impacted resulting in service failure on May 30 due to the loss of trust in the expired certificate. Services in this category are generally administered by technical support staff and require action to update the certificate chain.
Up-to-date web browser usage is not expected to be affected by this change. Users who connect to secure websites (U of T or all external sites) will not notice a problem unless they are using old, unsupported devices and software. Changes to root certificates in web browsers are managed by automatic updates which occur regularly.
Recommended Actions for Service and Network Administrators:
1. Identify all services that use Transport Layer Security (TLS). Note that web services using HTTPS need not be included. Examples include:
- Directory Access Protocol (LDAP, Active Directory)
- Email (SMTPS, IMAPS, POPS)
- Custom or proprietary connections to third party services, eg. Business-to-Business network connections.
2. Determine if the service relies on the use of the AddTrust root certificate – see references below for assistance. If so, then the entire certificate chain should be replaced.
References:
https://isea.utoronto.ca/addtrust-external-ca-root-expiring-may-30-2020/
Please Contact: security.admin@utoronto.ca should you have any questions