In case you missed it, on May 30th, a root certificate expired.
This made a lot of applications very unreliable, and been widely regarded as a bad move.
Well, alright, what was regarded as a bad move is that applications should become unreliable in the specific circumstances involved here.
When you connect to a server(web site or application) over SSL/TLS, the server has to send your client (browser or application) its Certificate.
In modern code, this Certificate is used by the client to trace back to a signing authority that is trusted by the client or its operating system.
Some servers like to help this process out, by sending a chain along with the Certificate for a couple of reasons:
This second situation is what weâ€™re interested in here. A new root appears, new certificates are issued, and old clients refuse to honour them because they donâ€™t have the new root in their trust store.
This is fixed with â€ścross-signingâ€ť, which allows an older, trusted root, to sign the new untrusted root, so that the older client sees a chain that includes the older root at the top, and is therefore trusted.
Older root certificates expire. It takes 20 years, but it finally happened at the end of May, to this one root certificate, â€śAddTrust External CA Rootâ€ť
When that happens, a client who builds the certificate chain and uses this to trust the root certificate is happy, because it sees only certificates that it trusts.
A client who takes the certificate chain as supplied by the server, without building its own, will see that the chain ends in an expired certificate, and refuse to connect, because the entire chain cannot be trusted.
The two links I provided earlier are well worth a read if youâ€™re interested in solving this problem, and really, Iâ€™ve got nothing to add to how this issue occurred, why itâ€™s a problem, how to address it at your server, or any of those fun things.
What I do offer is a tool for .NET (Windows and Linux, Mac, etc) that lets you compare the certificate chain as presented by the server against the certificate chain built by a client. It will report if a certificate in either chain has expired. Itâ€™s written in C#, and built with Visual Studio, and takes one parameter â€“ the site to which it will connect on port 443 to query for the certificate and chain.
Itâ€™s not a very smart tool, and it makes a few assumptions (though itâ€™s relatively easy to fix if those assumptions turn out to be false).
But it has source code, and it runs on Windows, Linux and (presumably â€“ havenâ€™t tested) Mac.
Working against the sites listed at http://testsites.test.certificatetest.com/, we get the following results:
First: https://aaacertificateservices.test.certificatetest.com/ – Certificate issued from a CA signed by AAA Certificate Services root.
Interestingly, note that the certificate chain in the stream from the server doesnâ€™t include the root certificate at all, but itâ€™s present in the code where we ask the client code what certificates are in the chain for this server.
Second: https://addtrustexternalcaroot.test.certificatetest.com/ – Certificate issued from a CA signed by AddTrust External CA Root.
The certificates here expired on 5/30/2020, and itâ€™s no surprise that we see this result in both the chain provided by the server and the chain provided by the client. Again, the root certificate isnâ€™t actually in the chain from the server provided in the stream.
Third: https://addtrustaia.test.certificatetest.com/ – Certificate issued from a CA signed by USERTrust RSA Certification Authority with a cross cert via AIA from AddTrust External CA Root.
Nothing noteworthy here, but itâ€™s included here for completeness. I donâ€™t do anything in this code for an AIA cross cert.
Fourth, and most importantly: https://addtrustchain.test.certificatetest.com/ – Certificate issued from a CA signed by USERTrust RSA Certification Authority with a cross cert via server chain from AddTrust External CA Root.
Hereâ€™s the point of the tool â€“ itâ€™s able to tell you that thereâ€™s a certificate in the chain from the server that has expired, and may potentially be causing problems to visitors using an older browser or client library.
By now, youâ€™ve had enough of reading and you want to see the code â€“ or just run it. Iâ€™ve attached two files â€“ one for the source code, the other for the executable content. I leave it up to others to tell you how to install dotnet core on your platform.
Let me know if, and how, you use this tool, and whether it achieves whatever goal you want from it.