IMPORTANT INFORMATION
 

First of all, we would like to apologize for what can seem as a late update, but we wanted to be sure that the guide/information below was as accurate as possible.

As you are probably aware of, we/GlobalSign experienced an internal process issue (details below) that may have impacted your business. While we have identified the cause, we deeply apologize for the problems this is causing you, and we want to ensure you, that we are actively resolving the issue.

GlobalSign manages several root certificates, and for compatibility and browser ubiquity reasons, provides several cross-certificates between those roots to maximize the effectiveness across a variety of platforms. As part of a planned exercise to remove some of those links, a cross-certificate linking two roots together was revoked. CRL responses had been operational for 1 week, however an unexpected consequence of providing OCSP responses became apparent on October 13th that some browsers incorrectly inferred that the cross-signed root had revoked intermediates, which was not the case.

GlobalSign has since removed the cross-certificate from the OCSP database and cleared all caches. However, the global nature of browsers, CDNs and effectiveness of caching continued to push some of those responses out as far as end users. End users cannot always easily clear their caches, either through lack of knowledge or lack of permission. New users (visitors) are not affected as they will now receive good responses

The problem will correct itself, but it can take several hours or even days, as the cached responses expire, which we know is not ideal. However, in the meantime, GlobalSign has provided an alternative issuing CA for you to use instead, issued by a different root which is not affected by the cross that was revoked, but offering the same ubiquity and does not require you to reissue your certificate.

Before updating any of your Intermediate certificates, please try to flush your DNS and OCSP cache on affected machines – this can be done in 3 steps:

  • STEP 1

Shot down any programs and/or browsers running on the machine.
 

  • STEP 2

Run this command via the CMD

ipconfig /flushdns
 

  • STEP 3

Run this command via the CMD

certutil -urlcache ocsp delete

If the problem still occurs, you’ll need to replace your current intermediate certificate with the one listed on this page

https://www.trustzone.com/revocation-errors-troubleshooting-guide 
 

NOTE

Domain SSL corresponds to TRUSTZONE Express SSL

Organizational SSL corresponds to TRUSTZONE Business SSL

Alpha SSL corresponds to TRUSTZONE Basic SSL

EV SSL certificates we not affected, hence they are not mentioned in this update.

If you need any assistance in performing any of the tasks mentioned above, please do not hesitate to contact us.

For more information https://support.globalsign.com/customer/portal/articles/2599975-ocsp-revocation-errors-faq

If you need any assistance in performing any of the tasks mentioned above, please do not hesitate to contact us.

 

Kind regards
 

TRUSTZONE A/S
Langebrogade 5
Copenhagen K

support@trustzone.com
+45 88 33 10 00