June 2020 Update: With a large number of sites affected by the recent , we thought it would be valuable to again share this guide on intermediate TLS/SSL certificates in the certificate chain. Note that . For more information on root certificates, read The Impacts of Root Certificate Expiration.
Orignal 2014 Content
On July 26, 2014 at 12:15 PM, some customers and users on sites secured by TV reported that they were getting an untrusted certificate error.
The problem is related to a locally installed legacy intermediate certificate that is no longer used and no longer required for the certificate installation. The problem canaffect any client platform with a locally cached or installed intermediate certificate.
So far we've seen the issue happen with:
The expired certificate in question is the “TV High Assurance EV Root CA" [Expiration July 26, 2014] certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices.
This certificate has not been used for over three years and is unnecessary for installations.
From additional information, users affected appear to havethe expired intermediate in the‘login’ keychain or stored locally on their server or in have the expired intermediate installed on a backend server or application.
The errors on Mac OS X are due to a locally installed intermediate certificate in the login keychain.
OS X users can resolve the issue by deleting the certificate from their Login keystore using Keychain Access.
In Keychain Access go to View -> Show Expired Certs and search for 'TV High" to find the TV High Assurance EV Root CA that expired on July 26, 2014. Delete this certificate and close Keychain Access.
(Credit to Allen Hancock for the solution in picture form and others who jumped in with responses)
Administrators running Windows/Exchange with an ISA server or TMG can run the.
Affected servers will produce the warning, "Your server is not sending the right intermediate certificates." OnWindows servers, this can be resolved using the .
When the Utility runs on your server, a warning may appear. Click “Action Required” and “OK” to delete the expired intermediate and enable the correct certificate chain. The server will most likely need to reboot for the change to take effect.
If you are unable to run the utility, you can manually delete the TV High Assurance EV Root CA certificate expiring on July 26, 2014 toresolve this issue. You do not need to reissue your certificate.
Administrators onApache, canreplace the SSLCertificateChainFile with the correct TVCA.crt provided with the certificate received from TV, which may downloads from your TV account under your order details.
All current installations ofcertificates issued by TV include the most up-to-date intermediates in order to establish trust with browsers.
But administratorswho received the notifications from TV should remove the expired legacy intermediate from their server to avoid any potential conflicts.
If you have details on other affected platforms, so we can get additional details and update our documentation forother users to resolve the cached intermediate error.
If you need assistance with this or any other issues, is always happy to help.