All asterisk.org (sub-) domains are secured by a SSL/TLS certificate from 
RapidSSL which chains up to the trust anchor "GeoTrust Global CA". That trust 
anchor belonged to Symantec. Since Chrome 70, Google removes all trust in 
former Symantec trust anchors. When you re-issue your certificate, the new 
owner DigiCert is going to give you a certificate chain to a new and still 
trusted anchor, for free: 
<http://products.geotrust.com/orders/orderinformation/authentication.do>

Reasoning:

Google Chrome 70 entered the Developer channel (aka "unstable") 
<http://www.chromium.org/getting-involved/dev-channel> on Friday 
<http://chromereleases.googleblog.com/2018/08/dev-channel-update-for-desktop_3.html>
 and therefore is available to Linux users now. Because Asterisk is very much 
developer centric, I expect that several Asterisk users and developers are 
using Google Chrome in that channel. Therefore and because the re-issue is free 
and because you could have gone for it since December already, please, re-issue 
as soon as possible.

Technical Notes:

Enter CSR: If you enter the CSR used by our original order, you do not have to 
change the private key on your server. Only the public certificates must be 
changed.

Hashing Algorithm = SHA-1 root: Your chain is going to resolve to "DigiCert 
Global Root CA". Therefore, I recommend to add the intermediate certificate to 
"Baltimore CyberTrust Root" 
<http://ssl-tools.net/subjects/8051060132ad9ac27d5187a0e887fb01620155ee>. This 
gives broader compatibility, even with legacy SSL/TLS clients, at no additional 
costs.

Hashing Algorithm = SHA-256 root: Your chain is going to resolve to "DigiCert 
Global Root G2". Therefore, consider to add the intermediate to "VeriSign Class 
3 Public Primary Certification Authority - G5" 
<http://ssl-tools.net/subjects/39d28b71fe1d19b65fb3f1288f23bc04595c4395> and 
"VeriSign Class 3 Public Primary Certification Authority - G3" 
<https://crt.sh/?caid=443> and "VeriSign Class 3 Public Primary Certification 
Authority" (G1) 
<http://ssl-tools.net/subjects/7a838e245f34e61aaa343e930d5a325a60c56d6c>. 
Although those three anchors are not trusted either, up-to-date SSL/TLS clients 
stop at the first trusted anchor in the chain and do not see those older ones. 
This gives the broadest compatibility with legacy platforms. However 
<https://bugzilla.mozilla.org/show_bug.cgi?id=1401384#c10>: "[DigiCert is] 
strongly advising subscribers not to use [this particular] cross-sign and, if 
used, remove [this] cross-sign prior to September 2018 as [DigiCert is] not 
sure how the distrust will impact [this] cross-sign." Therefore, I went for the 
Hashing Algorithm "SHA-1 root" on all my installations.




-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

Reply via email to