Follow

Error: "Failed to post CSR with error: The issuing CA is not Valid" at stage 500

Applies To:

Venafi TPP using the adaptable Digicert driver

Symptom:

At Stage 500 you may see the error message "Failed to post CSR with error: The issuing CA is not valid" as seen below:

mceclip0.png

Cause:

DigiCert reissued 7 Intermediate Certificates (ICAs) to provide backwards compatibility with Chrome. Chrome does not display EV certificates correctly when using these specific ICAs; they are still fully secured but are displayed as OV instead. 

This specific ICA change breaks DigiCert’s Adaptable Script for customers who have CertCentral ICA Selection turned on with corresponding Aperture ICA Custom Fields configured (see error screen shot below).

 

Resolution:

The ICA Custom Field will need to be changed to the new ca_certid (see below).  However, DigiCert can revert these account(s) back to the original ICA (the ICA before the change occurred on June 9th) provided that the customer understands the Chrome compatibility issue. Chrome fully trusts the previous issued ICAs but does not recognize or display them as an EV certificate.

 

More Info:

A note from Digicert:

"We apologize for making this change without giving sufficient notice. After an internal process audit, we found that the two scrum teams that were working on this effort were working toward two different dates; the team that rolled out the change failed to coordinate with other scrum teams or our communications team. We are making internal changes to improve scheduling conflicts for the future, and we are taking preventative measures to make sure this type of negative experience does not happen again."

 

Details from Digicert: https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html

 

New ICA

New Serial

Old Serial

DigiCert TLS RSA SHA256 2020 CA1

06d8d904d5584346f68a2fa754227ec4

0A3508D55C292B017DF8AD65C00FF7E4

 

Old ICA validity

ca_cert_id for old ICA

9/23/2020 – 9/23/2030

07917BBEE2368F2B

 

Recertified ICA validity

ca_cert_id for recertified ICA

4/13/2021 – 4/13/2031

33621C1BDD0C9357

 

Was this article helpful?
0 out of 0 found this helpful

Comments