Closed Bug 1763708 Opened 3 years ago Closed 3 years ago

Digicert TLS RSA SHA256 2020 CA1 Untrusted

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: doyle.soler, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

Steps to reproduce:

Use any certificate issued by Digicert TLS RSA SHA256 2020 CA1 CA.
CA Certificate is not in included CA certificate List

Actual results:

Digicert TLS RSA SHA256 2020 CA1 CA, Certificate does not validate.

Expected results:

CA Certificate should be valid. CA Certificate is published by Digicert.

References:
https://www.digicert.com/kb/digicert-root-certificates.htm
Direct Link:
https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem

Included CA Certificate List Reference:
https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport

Group: firefox-core-security → crypto-core-security
Component: Untriaged → Security: PSM
Product: Firefox → Core

Digicert TLS RSA SHA256 2020 CA1 is an intermediate certificate, not a root, as you can see on Digicert's list. Further, it is trusted in Firefox as it is signed by the Digicert Global Root CA. You can test this by visiting a site which uses the certificate, like this one: https://transfer.anbbank.com/

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID

(In reply to doyle.soler from comment #0)

Actual results:

Digicert TLS RSA SHA256 2020 CA1 CA, Certificate does not validate.

If you're configuring a server that was issued by that intermediate certificate, you need to include that intermediate in the list of certificates sent in the TLS handshake.

Group: crypto-core-security
You need to log in before you can comment on or make changes to this bug.