Am 10.12.2020 um 12:53 schrieb Phil Townes: > This issue was highlighted on a number of IT news pages and blogs in the > week or two prior to the issuing CA expiring. A decent CA should also have > made contact with their customers. > > We were also bitten by this issue as well, so I now have a shell script > which checks all certificates in a chain for impending expiry. I'm happy > to share if that would help anyone.
Sorry, I still don't get it. How can a certificate in the chain expire before the "last" certificate (for the server) expires? That means that a CA signs customer certificates for a longer period than their own certificate is valid. Can this happen? I never saw this with mine. Their validity was shortened due to the limited validity of the CA's certificate. Werner > > On Wed, 9 Dec 2020 at 10:57, Werner Flamme <[email protected]> wrote: > >> Am 2020-12-06 um 12:18 schrieb SZÉPE Viktor: >>> Idézem/Quoting Werner Flamme <[email protected]>: >>> >>>> Am 04.12.2020 um 16:52 schrieb [email protected]: >>>>> I configured monit to monitor the TLS certificate validity of all of >> our >>>>> highly productive websites. To all websites, the unnecessary full >>>>> certificate (without root CA) was installed. However, on 30th of May >>>>> 2020 one of the chain certificates (COMODO) ran out of its validity >>>>> period. Obviously monit only checks for the server certificate, that's >>>>> why the check did not notice this, and such a check is completely >>>>> pointless. It led to a massive damage to my company, and since I was to >>>>> deal with monitoring as well as TLS certificates, I had to move on to >>>>> find a new job. >>>> >>>> I do not understand why a server certificate is valid longer than any of >>>> the intermediate certificates. Has the COMODO intermediate certificate >>>> been revoked or did it reach its valid date? >>>> >>> >>> Hello Werner! >>> >>> It was a transition to anther signing root. >>> PKI is a changing landscape. >>> Google for COMODO 2020 cross-signing. >> >> Hello Viktor, >> >> so, the intermediate cert was valid when the change happened. How would >> one monitor this change in advance? >> >> Ithink, in such cases you have to be awake personally. You should have >> gotten information beforehand, issued by COMODO. You should've had time >> to renew and change the certificates. I do not see how to get monit to >> warn you here. >> >> Werner >> >> -- >> >> >> > -- Werner Flamme, Abt. WKDV SAP Certified Technology Associate for NetWeaver/Oracle Helmholtz-Zentrum für Umweltforschung GmbH - UFZ Permoserstr. 15 - 04318 Leipzig / Germany Tel.: +49 341 235-1921 - Fax +49 341 235-451921 Information nach §§ 37a HGB, 35a GmbHG: Sitz der Gesellschaft: Leipzig Registergericht: Amtsgericht Leipzig, Handelsregister Nr. B 4703 Vorsitzender des Aufsichtsrats: MinDirig'in Oda Keppler Wissenschaftlicher Geschäftsführer: Prof. Dr. Georg Teutsch Administrative Geschäftsführerin: Dr. Sabine König
smime.p7s
Description: S/MIME Cryptographic Signature
