Trustzone

Revocation errors troubleshooting guide

14.10.2016

OCSP Revocation errors troubleshooting guide

Note: This guide is intended for TRUSTZONE customers only.
Note: Please consult GlobalSigns FAQ here for more information.
Note: Basic SSL ICA's (intermediates) is now available below

If you are an end user trying to connect to an affected site please follow the instructions here to clear your cache. 
 

GlobalSign, our SSL provider manages several root certificates and for compatibility and browser ubiquity reasons provides several cross-certificates between those roots to maximize the effectiveness across a variety of platforms. As part of a planned exercise to remove some of those links, a cross-certificate which allows a certificate to chain to an alternate root was revoked. CRL responses had been operational for 1 week, however an unexpected consequence of providing OCSP responses became apparent this morning, in that some browsers incorrectly inferred that the cross-signed root had revoked intermediates, which was not the case.

GlobalSign has since removed the cross-certificate from the OCSP database and cleared all caches. However, the global nature of CDNs and effectiveness of caching continued to push some of those responses out as far as end users.  End users cannot always easily clear their caches either through lack of knowledge or lack of permission. New users (visitors) are not affected as they will now receive good responses. The problem will correct itself in 4 days as the cached responses expire, which we know is not ideal. However, in the meantime, GlobalSign will be providing an alternative issuing CA for customers to use instead, issued by a different root which was not affected by the cross that was revoked but offering the same ubiquity.

Action matrix

The table below outlines the recommended course of action dependent on your certificate type.

Product  Recommended course of action
Basic SSL         Replace your current intermediate certificate with the AlphaSSL CA - SHA256 - G2 listed below
Express SSL Replace your current GlobalSign intermediate certificate with the SHA-256 Custom R3 certificate listed below.
Business SSL Business SSLReplace your current GlobalSign intermediate certificate with the SHA-256 Custom R3 certificate listed below.
EV SSL No impact to EV SSL certificates, no action needed.

Installation steps

These steps will be the same for all certificate types but will vary depending on your server type.

For Apache please reference the new intermediate certificate listed below in the config file, for full installation instructions please press here

For Tomcat please reissue your certificate, during installation, please import the intermediate for your product listed below into your key store, for full installation instruction please press here. When installing for Tomcat you will need to reference the root certificate as well, its important to note that for the new intermediate certificate this would be the GlobalSign Root R3.

For IIS please import the new intermediate certificate found below and then remove the current intermediate certificate from the systems store. You may need to need unbind and rebind your certificate for these changes to take effect, for full installation instructions please press here. (Is this not working for you? try the alternate method explained in the GlobalSign FAQ)
 

Certificate creation

To get your certificate into a format usable by your server, please copy all of the characters including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags for the applicable intermediate below, paste this into a text editor and save the file with an extension of .cer, or .crt. 

 

Basic SSL

-----BEGIN CERTIFICATE-----
MIIESzCCAzOgAwIBAgIOSMqBefg+ikLz9c3isT8wDQYJKoZIhvcNAQELBQAwTDEg
MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2Jh
bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTYxMDE0MDAwMDAwWhcNMjQw
MjIwMTAwMDAwWjBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu
di1zYTEiMCAGA1UEAxMZQWxwaGFTU0wgQ0EgLSBTSEEyNTYgLSBHMjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANoB7OTsc2D7fo9qt8YX45JkMtSsANmi
D7nt7muKhsqSZ9l0111HAjyPQNaebRTNw9opOacPBQpoomYaHsSyi3ZY5atdHY9A
szmL7x6DfSLQ46kALuxTz2IZhUQoTMAny3sO7BBkABCkBcygcr5BbDFbSOSx7Lkj
61VN0H1iSqW0paRZhcUlkab+pgmfBhBtj4EMZEBecwCa4C5lmFQQAHCYyOHtNF/Y
nMcNwNYjWUX8/lV6hu6UYCLxrtHmVUb2mcUbCHRfrLBkhI+JOByhp5AhTwJuveBh
Z9T4QocPCvfJBG0qqS/vQqXf3aNT25gegfmacnta3k8+f6JYoOIXrWcCAwEAAaOC
ASkwggElMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
DgQWBBT1zdU8CFD5ak86t5faVoPmadJo9zAfBgNVHSMEGDAWgBSP8Et/qC5FJK5N
UPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9v
Y3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4YlaHR0
cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+MDwG
BFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20v
cmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAFsnfA30jsQHf3U8XxeJUHhV
EpESFSNyt7yf/zboXTvy7RG7hgFugyWfcS4WIhHIy9yYoTfSuFCj73Clc6x62EP7
5ros/YN38Q7zjaJKdSdJJ5+9Kq4fFQ5itED807y5maAzrMG4indOACzP9swinQ7C
daRO4z00bN2CKgJd4S0wQ6hQYqodPYLoRVZI2yqAxNGBI0DozuwiIQpYLPMk/Rza
vArdFMtyyKsWVCgQnRBCIS7AXUHHQcCasd5fg3WhZSLJRInEXALy4k5bGxjtNeby
CV/akHyNQxN+Lw3E4hxAT4wK0emK+UOQP3RbzWnljGbrVy56GKcQupSlAkclrDo=
-----END CERTIFICATE-----

Express SSL

-----BEGIN CERTIFICATE-----
MIIEXDCCA0SgAwIBAgILBAAAAAABMYnGQlgwDQYJKoZIhvcNAQELBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTEwODAyMTAwMDAwWhcNMjIwODAy MTAwMDAwWjBgMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z YTE2MDQGA1UEAxMtR2xvYmFsU2lnbiBEb21haW4gVmFsaWRhdGlvbiBDQSAtIFNI QTI1NiAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqd3MDrPi MjndSSKoE2mTh4jhDO5xfb2Qh5ZdWfLMs9JYV1f5Ru9sJtg2Qo5+MLMvmj5Tex9u tqJMRR880xWTHIntPPRX3sq97AaaaiqgGVJ/UdF0OQifq+vXhhMVl642w1RmDlry oHOFMeOyZBRq/6WijiS7vYVSFaJ57vC17j249H2AvNmQNWW4F6mts5ifoH59bvs/ rXzCG1k2lto3MktLXTUCY47bp89i7swu1I3JvTxqkXKiIqdyLSDR+so32hiY5hYk cSVLxOV7iVIJAv1ZKwRuygeB1LPa2tvjzICoVgcGfJYIN53bOLZiNJFiB3QBONhy MOLrkHEmYsBX8wIDAQABo4IBKTCCASUwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB /wQIMAYBAf8CAQAwHQYDVR0OBBYEFOpOfNSALeUVgYYmjIJtwJikz5cPMEcGA1Ud IARAMD4wPAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxz aWduLmNvbS9yZXBvc2l0b3J5LzA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3Js Lmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjMuY3JsMD4GCCsGAQUFBwEBBDIwMDAuBggr BgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3RyMzAfBgNV HSMEGDAWgBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEA asQTEbudYOYIgMIwjjpyB5oIB0XIrKrD85MGzbyWwKt7IzfBYFPvJPpKhbGSET9Y Z3RAFBWwLNQme7DAeGM3MedBUDL/h2VtRi9mFsJ3cjffjB2ynXz79WmNDEGDBeXD CDhdCaUwUQzemQAYJFATZ9U956HDXbA92Ho3wqPeCzxXJmuY/hfAUdEL8BdEK71i gPIuTWgRjCLvlHt4p7WbguowPW2xYzOsZvok9lOdICfAXHRETYzo2yBAhQDmbSaf dzhT8XdnuiJ3yEW84eLFJqSi6NDOgmdMyXg/4ntqs5XUwfpSfUQaAuXxScCedcp3 IAITFUgbBl1wm7duUhuklQ==
-----END CERTIFICATE-----

Business SSL

-----BEGIN CERTIFICATE-----
MIIEYjCCA0qgAwIBAgILBAAAAAABMYnGRMkwDQYJKoZIhvcNAQELBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTEwODAyMTAwMDAwWhcNMjIwODAy MTAwMDAwWjBmMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z YTE8MDoGA1UEAxMzR2xvYmFsU2lnbiBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBD QSAtIFNIQTI1NiAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA xw5sPyOTf8xwpZ0gww5TP37ATsKYScpH1SPvAzSFdMijAi5GXAt9yYidT4vw+Jxs jFU127/ys+r741bnSkbZEyLKNtWbwajjlkOT8gy85vnm6JnIY0h4f1c2aRoZHVrR 1H3CnNR/4YASrnrqiOpX2MoKCjoSSaJiGXoNJPc367RzknsFI5sStc7rKd+kFAK5 AaXUppxDZIje+H7+4/Ue5f7co6jkZjHZTCXpGLmJWQmu6Z0cbTcPSh41ICjir9Qh iwHERa1uK2OrkmthCk0g7XO6fM7+FrXbn4Dw1ots2Qh5Sk94ZdqSvL41+bPE+SeA Tv+WUuYCIOEHc+ldK72y8QIDAQABo4IBKTCCASUwDgYDVR0PAQH/BAQDAgEGMBIG A1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJbeYfG9HBYpUxzAzH07gwBA5hp8 MEcGA1UdIARAMD4wPAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzA2BgNVHR8ELzAtMCugKaAnhiVodHRw Oi8vY3JsLmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjMuY3JsMD4GCCsGAQUFBwEBBDIw MDAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3Ry MzAfBgNVHSMEGDAWgBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsF AAOCAQEAugYpwLQZjCERwJQRnrs91NVDQPafuyULI2i1Gvf6VGTMKxP5IfBEreHo FVjb7v3bok3MGI8Nmm3DawGhMfCNvABAzDlfh2FRbfSV6uoVNT5AhcBi1aE0/niq qLJaOfM3Qfuc6D5xSlvr+GlYoeDGk3fpumeS62VYkHBzQn2v9CMmeReq+qS7meVE b2WB58rrVcj0ticRIXSUvGu3dGIpxM2uR/LmQlt4hgVhy5CqeYnfBH6xJnBLjUAf hHvA+wfmyLdOkfQ1A+3o60EQF0m0YsinLPLhTI8DLPMWN11n8aQ5eUmjwF3MVfkh gA/7zuIpalhQ6abX6xwyNrVip8H65g==
-----END CERTIFICATE-----