Applies To:
Venafi TPP using the adaptable Digicert driver
Symptom:
At Stage 500 you may see the error message "Failed to post CSR with error: The issuing CA is not valid" as seen below:
Cause:
DigiCert reissued 7 Intermediate Certificates (ICAs) to provide backwards compatibility with Chrome. Chrome does not display EV certificates correctly when using these specific ICAs; they are still fully secured but are displayed as OV instead.
This specific ICA change breaks DigiCert’s Adaptable Script for customers who have CertCentral ICA Selection turned on with corresponding Aperture ICA Custom Fields configured (see error screen shot below).
Resolution:
The ICA Custom Field will need to be changed to the new ca_certid (see below). However, DigiCert can revert these account(s) back to the original ICA (the ICA before the change occurred on June 9th) provided that the customer understands the Chrome compatibility issue. Chrome fully trusts the previous issued ICAs but does not recognize or display them as an EV certificate.
More Info:
A note from Digicert:
"We apologize for making this change without giving sufficient notice. After an internal process audit, we found that the two scrum teams that were working on this effort were working toward two different dates; the team that rolled out the change failed to coordinate with other scrum teams or our communications team. We are making internal changes to improve scheduling conflicts for the future, and we are taking preventative measures to make sure this type of negative experience does not happen again."
Details from Digicert: https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html
New ICA |
New Serial |
Old Serial |
DigiCert TLS RSA SHA256 2020 CA1 |
06d8d904d5584346f68a2fa754227ec4 |
0A3508D55C292B017DF8AD65C00FF7E4 |
Old ICA validity |
ca_cert_id for old ICA |
9/23/2020 – 9/23/2030 |
07917BBEE2368F2B |
Recertified ICA validity |
ca_cert_id for recertified ICA |
4/13/2021 – 4/13/2031 |
33621C1BDD0C9357 |
Comments